Killing the CAC

October 28, 2021

Since 1999 the Common Access Card (CAC) has been the norm for service members. They use this to get onto the base, use military computers, access the chow hall, and do various other activities. The CAC works by inserting the card into a reader and entering the user’s PIN between six and eight digits long. This, in turn, unlocks the privacy key used for attestation, simultaneously authenticating and identifying the user. Granted, there are a few fail-safes, such as the card locking after three incorrect PIN entries, but at the end of the day, the CAC is on the verge of not meeting DoD or federal standards.

Issues with the CAC

The CAC is an example of basic two-factor authentication, but as the industry works towards multi-factor authentication, the CAC has clearly fallen behind the times. While adding an extra authenticator to the CAC might work for people in day-to-day office settings, it creates a longer authentication process for those in the tactical domain, a process we are, in the end, trying to simplify.

The CAC has been the standard for so long that the industry has now created technology that far surpasses the CAC. The industry is moving from a net-centric to a data-centric approach. This shift is part of the call to “Kill the CAC.” This new approach emphasizes protecting data, rather than just the network that it lives on. With cyber adversaries advancing their technology as well, protecting the network is no longer enough. Zero Trust has become front and center for authentication by always acting as though the network has been hacked. As technology continues to advance, issues with the CAC are becoming more evident:

  • The card can be lost
  • The card can be stolen
  • Not true multi-factor authentication
  • Personal information is at risk of being stored on the card
  • CAC not fulfilling DoD requirements for authentication
  • Is an all or nothing authenticator, “yes” it’s correct, or “no”, it’s not
  • Malware exists that can compromise card-based authentication

How REDCOM Can Solve These Problems

REDCOM’s new disruptive authentication technology, ZKX, offers seamless and frictionless multi-factor authentication designed to embody the foundational principles of zero trust. ZKX is designed atop a foundation of zero-knowledge proofs — longstanding mathematical functions which are used to prove one’s knowledge of secret information without revealing what that secret information is. REDCOM has taken these functions and applied them to the complex issue of multi-factor authentication in zero-trust regimes and has created a ZTA-friendly authentication solution that eliminates the network’s need to trust its users and also the users’ need to inherently trust the host network. Zero Trust Architecture - Never Trust Always Verify

ZKX relies primarily on public data to authenticate users, enabling dynamic and rigid authentication even in environments surveilled by the adversary. Secret authenticating information is stored neither on the user’s endpoint nor a network’s data storage system, making ZKX impervious to endpoint breaches, data theft, or information leaks. ZKX solves the issues of the CAC in the following ways:

  • Protects personal data by not storing personal information
  • No data is at risk if the endpoint device is compromised
  • Interoperable with various network mediums such as satellite, RF radio frequency, and IP networks
  • Can adapt to policy requirements
  • Deployed following policies already outlined
  • Confidence levels can be enhanced simply by continued challenging of a user’s identity, it is not all or nothing
  • Authenticates user and their device simultaneously

Air Force Lt. Gen. Robert Skinner said, “We have to have something better. The industry has been, I’ll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that. We want to leverage that technology to be able to provide greater options, so it’s not just two-factor authentication, but it’s truly multi-factor — and it’s with the individual, it’s with the device.”

REDCOM’s ZKX is the new technology that can be leveraged to authenticate the user and the device. We are ready to work with the industry to solve current authentication problems and continue to improve the technology. If you would like to talk about ZKX, reach out to