Secure and Usable Enterprise Authentication: Lessons from the Field

Theofanos, Mary; Garfinkel, Simson; Choong, Yee-Yin

doi:https://doi.org/10.1109/MSP.2016.96

Journal Article

Secure and Usable Enterprise Authentication: Lessons from the Field

Documentation Topics

Published: October 25, 2016
Citation: IEEE Security & Privacy vol. 14, no. 5, (Sept.-Oct. 2016) pp. 14-21

Author(s)

Mary Theofanos (NIST), Simson Garfinkel (NIST), Yee-Yin Choong (NIST)

Abstract

More than 5.4 million Personal Identity Verification (PIV) and Common Access Cards (CAC) have been deployed to US government employees and contractors. These cards allow physical access to federal facilities, but their use to authenticate logical access to government information systems is uneven, with deployment rates across agencies ranging from 0 to 95 percent. Surveys of US Departments of Defense and Commerce employees show that using these smart cards for two-factor authentication results in improved usability and security. The authors argue that public-key infrastructure-based systems are likely to provide more secure and more usable authentication than other two-factor approaches, including combining strong passwords with a physical token such as a cell phone or time-based hardware identity device.

Keywords

security; privacy; PIV; HSPD-12; CAC; smart card; two-factor authentication; usable security

Control Families

None selected

Documentation

Publication:
Journal Article (DOI)

Supplemental Material:
None available

Document History:
10/25/16: Journal Article (Final)

Topics

Security and Privacy
authentication; Personal Identity Verification; privacy; usability

Technologies
smart cards

Laws and Regulations
Homeland Security Presidential Directive 12