Quick Read

Killing the CAC

Since 1999 the Common Access Card (CAC) has been the norm for service members. They use this to get onto the base, use military computers, access the chow hall, and do various other activities. The CAC works by inserting the card into a reader and entering the user’s PIN between six and eight digits long. This, in turn, unlocks the privacy key used for attestation, simultaneously authenticating and identifying the user. Granted, there are a few fail-safes, such as the card locking after three incorrect PIN entries, but at the end of the day, the CAC is on the verge of not meeting DoD or federal standards. 

Issues with the Military CAC 

The CAC is an example of basic two-factor authentication, but as the industry works towards multi-factor authentication, the CAC has clearly fallen behind the times. While adding an extra authenticator to the CAC might work for people in day-to-day office settings, it creates a longer authentication process for those in the tactical domain, a process we are, in the end, trying to simplify. 

The CAC has been the standard for so long that the industry has now created technology that far surpasses the CAC. The industry is moving from a net-centric to a data-centric approach. This shift is part of the call to “Kill the CAC.” This new approach emphasizes protecting data, rather than just the network that it lives on. With cyber adversaries advancing their technology as well, protecting the network is no longer enough. Zero Trust has become the authentication paradigm for next-gen cyber defense by always assuming the network is unsafe. As technology continues to advance, issues with the CAC are becoming more evident: 

  • The card can be lost or stolen 
  • It’s not a true multi-factor authentication method 
  • Personal information is at risk of being stored on the card 
  • CAC does not fulfill DoD requirements for authentication 
  • CAC is an all or nothing authenticator: either it grants access, or not 
  • Malware exists that can compromise card-based authentication 

How ZKX Can Solve These Problems 

ZXK Solutions has developed a disruptive authentication technology, the ZKX Zero Trust MFA Engine, which delivers seamless and frictionless multi-factor authentication. ZKX is designed atop a foundation of zero-knowledge proofs — longstanding mathematical functions which are used to prove one’s knowledge of secret information without revealing what that secret information is. ZKX has taken these functions and applied them to the complex issue of multi-factor authentication in zero-trust regimes and has created a ZTA-friendly authentication solution that eliminates the network’s need to trust its users and also the users’ need to inherently trust the host network. 

ZKX relies primarily on public data to authenticate users, enabling dynamic and rigid authentication even in environments surveilled by the adversary. Secret authenticating information is stored neither on the user’s endpoint nor a network’s data storage system, making ZKX impervious to endpoint breaches, data theft, or information leaks. ZKX solves the issues of the CAC in the following ways: 

  • Protects personal data by not storing personal information 
  • No data is at risk if the endpoint device is compromised 
  • Interoperable with various network mediums such as satellite, RF radio frequency, and IP networks 
  • Can adapt to policy requirements 
  • Deployed following policies already in place 
  • It’s not an all-or-nothing system. Confidence levels can be enhanced simply by continuous challenges behind-the-scenes to verify a user’s identity. 
  • Authenticates the user and their device simultaneously 

Air Force Lt. Gen. Robert Skinner said, “We have to have something better. The industry has been, I’ll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that. We want to leverage that technology to be able to provide greater options, so it’s not just two-factor authentication, but it’s truly multi-factor — and it’s with the individual, it’s with the device.” 

The ZKX MFA Engine is the new technology that can be leveraged to authenticate the user and the device. We are ready to work with the industry to solve current authentication problems and continue to improve the technology. If you would like to talk about ZKX, reach out to collin@zkxsolutions.com.