Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Secure and usable enterprise authentication: Lessons from the Field



Mary F. Theofanos, Simson L. Garfinkel, Yee-Yin Choong


There are now more than 5.4 million Personal Identity Verification (PIV) and Common Access Card (CAC) identity cards deployed to US government employees and contractors. These cards are widely used to gain physical access to federal facilities, but their use to authenticate logical access to government information systems has been uneven. We report the reasons for the uneven deployment and then compare the results of a 26,691-person survey within the Department of Defense (DoD) and a 4,573-person survey within the Department of Commerce (DOC) to show that the use of smart-cards for 2-factor authentication results in improved usability and security when compared with 1-factor, password-only systems. We show that these benefits extend beyond the smart cards to other systems within the organizations that solely employ password authentication. We argue that PKI token-based authentication systems, such as smartcards, are likely to provide authentication that is simultaneously more secure and more usable than other 2-factor approaches, such as combining strong passwords with cell phones or with time-based hardware identity tokens.
IEEE Security & Privacy


PIV, HSDP-12, CAC, smartcard, 2-factor authentication


Theofanos, M. , Garfinkel, S. and Choong, Y. (2016), Secure and usable enterprise authentication: Lessons from the Field, IEEE Security & Privacy, [online], (Accessed April 15, 2024)
Created October 26, 2016, Updated November 10, 2018