U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Secure and usable enterprise authentication: Lessons from the Field

Published

Author(s)

Mary F. Theofanos, Simson L. Garfinkel, Yee-Yin Choong

Abstract

There are now more than 5.4 million Personal Identity Verification (PIV) and Common Access Card (CAC) identity cards deployed to US government employees and contractors. These cards are widely used to gain physical access to federal facilities, but their use to authenticate logical access to government information systems has been uneven. We report the reasons for the uneven deployment and then compare the results of a 26,691-person survey within the Department of Defense (DoD) and a 4,573-person survey within the Department of Commerce (DOC) to show that the use of smart-cards for 2-factor authentication results in improved usability and security when compared with 1-factor, password-only systems. We show that these benefits extend beyond the smart cards to other systems within the organizations that solely employ password authentication. We argue that PKI token-based authentication systems, such as smartcards, are likely to provide authentication that is simultaneously more secure and more usable than other 2-factor approaches, such as combining strong passwords with cell phones or with time-based hardware identity tokens.
Citation
IEEE Security & Privacy
Pub Type
Journals

Download Paper

DOI Link

Keywords

PIV, HSDP-12, CAC, smartcard, 2-factor authentication
Cybersecurity

Citation

Theofanos, M. , Garfinkel, S. and Choong, Y. (2016), Secure and usable enterprise authentication: Lessons from the Field, IEEE Security & Privacy, [online], https://doi.org/10.1109/MSP.2016.96 (Accessed March 14, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created October 26, 2016, Updated November 10, 2018