The common access card , also commonly referred to as the CAC , is the standard identification for active duty United States defense personnel. The card itself is a smart card about the size of a credit card. Defense personnel that use the CAC include the Selected Reserve and National Guard , United States Department of Defense (DoD) civilian employees, United States Coast Guard (USCG) civilian employees and eligible DoD and USCG contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. It also serves as an identification card under the Geneva Conventions (especially the Third Geneva Convention ). In combination with a personal identification number , a CAC satisfies the requirement for two-factor authentication : something the user knows combined with something the user has. The CAC also satisfies the requirements for digital signature and data encryption technologies: authentication, integrity and non-repudiation .
98-406: The CAC is a controlled item. As of 2008, DoD has issued over 17 million smart cards. This number includes reissues to accommodate changes in name, rank, or status and to replace lost or stolen cards. As of the same date, approximately 3.5 million unterminated or active CACs are in circulation. DoD has deployed an issuance infrastructure at over 1,000 sites in more than 25 countries around the world and
196-545: A terahertz frequency identification (TFID) tag that is barely 1 square millimeter in size. The devices are essentially a piece of silicon that are inexpensive, small, and function like larger RFID tags. Because of the small size, manufacturers could tag any product and track logistics information for minimal cost. An RFID tag can be affixed to an object and used to track tools, equipment, inventory, assets, people, or other objects. RFID offers advantages over manual systems or use of barcodes . The tag can be read if passed near
294-765: A "true" multi-factor authentication system must use distinct instances of the three factors of authentication it had defined, and not just use multiple instances of a single factor. According to proponents, multi-factor authentication could drastically reduce the incidence of online identity theft and other online fraud , because the victim's password would no longer be enough to give a thief permanent access to their information. However, many multi-factor authentication approaches remain vulnerable to phishing , man-in-the-browser , and man-in-the-middle attacks . Two-factor authentication in web applications are especially susceptible to phishing attacks, particularly in SMS and e-mails, and, as
392-702: A CAC in order to access the site. Authentication systems vary depending on the type of system, such as Active Directory , RADIUS , or other access control list . CAC is based on X.509 certificates with software middleware enabling an operating system to interface with the card via a hardware card reader. Although card manufacturers such as Schlumberger provided a suite of smartcard, hardware card reader and middleware for both Linux and Windows , not all other CAC systems integrators did likewise. In an attempt to correct this situation, Apple Federal Systems has done work for adding some support for Common Access Cards to their later Snow Leopard operating system updates out of
490-543: A CAC is placed in a holder along with other RFID cards, it can also cause problems, such as attempting to open a door with an access card when it is in the same holder as a CAC. Despite these challenges at least one civilian organization, NOAA, uses the RFID technology to access facilities nationwide. Access is usually granted after first removing the CAC from the RF shield and then holding it against
588-461: A battery and thus can be read at a greater range from the RFID reader, up to hundreds of meters. Unlike a barcode , the tag does not need to be within the line of sight of the reader, so it may be embedded in the tracked object. RFID is one method of automatic identification and data capture (AIDC). RFID tags are used in many industries. For example, an RFID tag attached to an automobile during production can be used to track its progress through
686-560: A certain distance of the reader to authenticate the holder. Tags can also be placed on vehicles, which can be read at a distance, to allow entrance to controlled areas without having to stop the vehicle and present a card or enter an access code. In 2010, Vail Resorts began using UHF Passive RFID tags in ski passes. Facebook is using RFID cards at most of their live events to allow guests to automatically capture and post photos. Automotive brands have adopted RFID for social media product placement more quickly than other industries. Mercedes
784-440: A customer-owned smartphone. Despite the variations that exist among available systems that organizations may have to choose from, once a multi-factor authentication system is deployed within an organization, it tends to remain in place, as users invariably acclimate to the presence and use of the system and embrace it over time as a normalized element of their daily process of interaction with their relevant information system. While
882-421: A debit or credit card using either a password or a one-time password sent over SMS . This requirement was removed in 2016 for transactions up to ₹2,000 after opting-in with the issuing bank. Vendors such as Uber have been mandated by the bank to amend their payment processing systems in compliance with this two-factor authentication rollout. Details for authentication for federal employees and contractors in
980-524: A ghost image of the cardholder. If applicable, the card also contains the date of birth, blood type, DoD benefits number, Geneva Convention category, and DoD Identification Number of the holder (also used as the Geneva Convention number, replacing the previously used Social Security Number). The DoD number is also known as the Electronic data interchange Personal Identifier (EDIPI). A Code 39 barcode and
1078-734: A hardware token or USB plug. Many users do not have the technical skills needed to install a client-side software certificate by themselves. Generally, multi-factor solutions require additional investment for implementation and costs for maintenance. Most hardware token-based systems are proprietary, and some vendors charge an annual fee per user. Deployment of hardware tokens is logistically challenging. Hardware tokens may get damaged or lost, and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed. In addition to deployment costs, multi-factor authentication often carries significant additional support costs. A 2008 survey of over 120 U.S. credit unions by
SECTION 10
#17330847179531176-452: A hidden paper or text file. Possession factors ("something only the user has") have been used for authentication for centuries, in the form of a key to a lock. The basic principle is that the key embodies a secret that is shared between the lock and the key, and the same principle underlies possession factor authentication in computer systems. A security token is an example of a possession factor. Disconnected tokens have no connections to
1274-628: A magnetic strip are at the top and bottom of the card, respectively. The cardholder’s DoD ID/EDIPI number is permanent throughout his or her career with the DoD or USCG, regardless of department or division. Likewise, the permanent number follows retired U.S. military personnel who subsequently become DoD or USCG civilians or DoD or USCG contractors needing a card. Additionally, for non-military spouses, unremarried former spouses, and widows/widowers of active, Reserve or Retired U.S. military personnel who themselves become DoD or USCG civilians or DoD or USCG contractors,
1372-446: A multi-factor authentication scheme may include: An example of two-factor authentication is the withdrawing of money from an ATM ; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out. Two other examples are to supplement a user-controlled password with a one-time password (OTP) or code generated or received by an authenticator (e.g.
1470-409: A particular product. Often more than one tag will respond to a tag reader. For example, many individual products with tags may be shipped in a common box or on a common pallet. Collision detection is important to allow reading of data. Two different types of protocols are used to "singulate" a particular tag, allowing its data to be read in the midst of many similar tags. In a slotted Aloha system,
1568-456: A processing system where the EDIPI number is matched with an access control system, such as Active Directory or LDAP . The DoD standard is that after three incorrect PIN attempts, the chip on the CAC will lock. The EDIPI number is stored in a PKI certificate. Depending on the owner, the CAC contains one or three PKI certificates. If the CAC is used for identification purposes only, an ID certificate
1666-424: A reader either mounted on a wall or located on a pedestal. Once the CAC is authenticated to a local security server either the door will release or a signal will be displayed to security guards to grant access to the facility. The ICC is fragile and regular wear can make the card unusable. Older cards tend to de-laminate with repeated insertion/removal from readers, but this problem appears to be less significant with
1764-723: A reader, even if it is covered by the object or not visible. The tag can be read inside a case, carton, box or other container, and unlike barcodes, RFID tags can be read hundreds at a time; barcodes can only be read one at a time using current devices. Some RFID tags, such as battery-assisted passive tags, are also able to monitor temperature and humidity. In 2011, the cost of passive tags started at US$ 0.09 each; special tags, meant to be mounted on metal or withstand gamma sterilization, could cost up to US$ 5. Active tags for tracking containers, medical assets, or monitoring environmental conditions in data centers started at US$ 50 and could be over US$ 100 each. Battery-Assisted Passive (BAP) tags were in
1862-568: A response, many experts advise users not to share their verification codes with anyone, and many web application providers will place an advisory in an e-mail or SMS containing a code. Multi-factor authentication may be ineffective against modern threats, like ATM skimming, phishing, and malware. In May 2017, O2 Telefónica , a German mobile service provider, confirmed that cybercriminals had exploited SS7 vulnerabilities to bypass SMS based two-step authentication to do unauthorized withdrawals from users' bank accounts. The criminals first infected
1960-520: A secret in order to authenticate. A password is a secret word or string of characters that is used for user authentication. This is the most commonly used mechanism of authentication. Many multi-factor authentication techniques rely on passwords as one factor of authentication. Variations include both longer ones formed from multiple words (a passphrase ) and the shorter, purely numeric, PIN commonly used for ATM access. Traditionally, passwords are expected to be memorized , but can also be written down on
2058-409: A security token or smartphone) that only the user possesses. A third-party authenticator app enables two-factor authentication in a different way, usually by showing a randomly generated and constantly refreshing code which the user can use, rather than sending an SMS or using another method. Knowledge factors are a form of authentication. In this form, the user is required to prove knowledge of
SECTION 20
#17330847179532156-426: A single password. Usage of MFA has increased in recent years, however, there are numerous threats that consistently makes it hard to ensure MFA is entirely secure. Authentication takes place when someone tries to log into a computer resource (such as a computer network , device, or application). The resource requires the user to supply the identity by which the user is known to the resource, along with evidence of
2254-510: A special tool or deactivated electronically when payment is made. On leaving the shop, customers have to pass near an RFID detector; if they have items with active RFID tags, an alarm sounds, both indicating an unpaid-for item, and identifying what it is. Casinos can use RFID to authenticate poker chips , and can selectively invalidate any chips known to be stolen. RFID tags are widely used in identification badges , replacing earlier magnetic stripe cards. These badges need only be held within
2352-436: A tiny radio transponder called a tag, a radio receiver , and a transmitter . When triggered by an electromagnetic interrogation pulse from a nearby RFID reader device, the tag transmits digital data, usually an identifying inventory number , back to the reader. This number can be used to track inventory goods. Passive tags are powered by energy from the RFID reader's interrogating radio waves . Active tags are powered by
2450-415: A transfer hose can read an RFID tag affixed to the tank, positively identifying it. At least one company has introduced RFID to identify and locate underground infrastructure assets such as gas pipelines , sewer lines , electrical cables, communication cables, etc. Two-factor authentication Multi-factor authentication ( MFA ; two-factor authentication , or 2FA , along with similar terms)
2548-472: A user knows, has, and is) to determine the user's identity. In response to the publication, numerous authentication vendors began improperly promoting challenge-questions, secret images, and other knowledge-based methods as "multi-factor" authentication. Due to the resulting confusion and widespread adoption of such methods, on August 15, 2006, the FFIEC published supplemental guidelines—which state that by definition,
2646-778: A user to move between offices and dynamically receive the same level of network access in each. Two-factor authentication over text message was developed as early as 1996, when AT&T described a system for authorizing transactions based on an exchange of codes over two-way pagers. Many multi-factor authentication vendors offer mobile phone-based authentication. Some methods include push-based authentication, QR code-based authentication, one-time password authentication (event-based and time-based), and SMS-based verification. SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning
2744-454: A variety of ways. The CAC can be used for visual identification by way of matching the color photo with the owner. This is used for when the user passes through a guarded gate, or purchases items from a store, such as a PX/BX that require a level of privileges to use the facility. Some states allow the CAC to be used as a government-issued ID card, such as for voting or applying for a drivers license. The magnetic stripe can be read by swiping
2842-441: Is a fuzzy method for process support. From the perspective of cost and effect, bulk reading is not reported as an economical approach to secure process control in logistics. RFID tags are easy to conceal or incorporate in other items. For example, in 2009 researchers at Bristol University successfully glued RFID micro-transponders to live ants in order to study their behavior. This trend towards increasingly miniaturized RFIDs
2940-460: Is a strategy for interrogating multiple tags at the same time, but lacks sufficient precision for inventory control. A group of objects, all of them RFID tagged, are read completely from one single reader position at one time. However, as tags respond strictly sequentially, the time needed for bulk reading grows linearly with the number of labels to be read. This means it takes at least twice as long to read twice as many labels. Due to collision effects,
3038-606: Is all that is needed. However, in order to access a computer, sign a document, or encrypt email, signature and encryption certificates are also required. A CAC works in virtually all modern computer operating systems. Besides the reader, drivers and middleware are also required in order to read and process a CAC. The only approved Microsoft Windows middleware for CAC is ActivClient—available only to authorized DoD personnel. Other non-Windows alternatives include LPS-Public—a non-hard drive based solution. DISA now requires all DoD-based intranet sites to provide user authentication by way of
Common Access Card - Misplaced Pages Continue
3136-415: Is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors ) to an authentication mechanism. MFA protects personal data —which may include personal identification or financial assets —from being accessed by an unauthorized third party that may have been able to discover, for example,
3234-433: Is based on the premise that an unauthorized actor is unlikely to be able to supply the factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset (e.g., a building, or data) being protected by multi-factor authentication then remains blocked. The authentication factors of
3332-460: Is expected to rise from US$ 12.08 billion in 2020 to US$ 16.23 billion by 2029. In 1945, Leon Theremin invented the "Thing", a listening device for the Soviet Union which retransmitted incident radio waves with the added audio information. Sound waves vibrated a diaphragm which slightly altered the shape of the resonator , which modulated the reflected radio frequency. Even though this device
3430-507: Is likely to continue as technology advances. Hitachi holds the record for the smallest RFID chip, at 0.05 mm × 0.05 mm. This is 1/64th the size of the previous record holder, the mu-chip. Manufacture is enabled by using the silicon-on-insulator (SOI) process. These dust-sized chips can store 38-digit numbers using 128-bit Read Only Memory (ROM). A major challenge is the attachment of antennas, thus limiting read range to only millimeters. In early 2020, MIT researchers demonstrated
3528-408: Is not reliable. Bulk reading can be a rough guide for logistics decisions, but due to a high proportion of reading failures, it is not (yet) suitable for inventory management. However, when a single RFID tag might be seen as not guaranteeing a proper read, multiple RFID tags, where at least one will respond, may be a safer approach for detecting a known grouping of objects. In this respect, bulk reading
3626-401: Is placed near the bottom-middle of the front of the card. There are three color code schemes used on the front of the CAC. A blue bar across the holder’s name shows that the cardholder is a non-U.S. citizen. A green bar shows that the cardholder is a contractor. Absence of a bar indicates all other personnel—including military personnel and civil workers, among others. The back of the card has
3724-586: Is rolling out more than one million card readers and associated middleware. The CAC is issued to active United States Armed Forces (Regular, Reserves and National Guard) in the Department of Defense and the U.S. Coast Guard; DoD civilians; USCG civilians; non-DoD/other government employees and State Employees of the National Guard; and eligible DoD and USCG contractors who need access to DoD or USCG facilities and/or DoD computer network systems: Future plans include
3822-438: Is the landmark 1948 paper by Harry Stockman, who predicted that "Considerable research and development work has to be done before the remaining basic problems in reflected-power communication are solved, and before the field of useful applications is explored." Mario Cardullo 's device, patented on January 23, 1973, was the first true ancestor of modern RFID, as it was a passive radio transponder with memory. The initial device
3920-453: Is the most common CAC and is given to active duty/reserve armed forces and uniformed service members. The Geneva Convention Accompany Forces Card is issued to emergency-essential civilian personnel. The ID and Privilege Common Access Card is for civilians residing on military installations. The ID card is for DOD/Government Agency identification for civilian employees. Until 2008, all CACs were encrypted using 1,024-bit encryption. Starting 2008,
4018-444: Is typically deployed in access control systems through the use, firstly, of a physical possession (such as a fob, keycard , or QR-code displayed on a device) which acts as the identification credential, and secondly, a validation of one's identity such as facial biometrics or retinal scan. This form of multi-factor authentication is commonly referred to as facial verification or facial authentication. These are factors associated with
Common Access Card - Misplaced Pages Continue
4116-428: Is used in intelligent transportation systems . In New York City , RFID readers are deployed at intersections to track E-ZPass tags as a means for monitoring the traffic flow. The data is fed through the broadband wireless infrastructure to the traffic management center to be used in adaptive traffic control of the traffic lights. Where ship, rail, or highway tanks are being loaded, a fixed RFID antenna contained in
4214-430: Is used to authenticate users. Access to the computer's parent Active Directory is required when attempting to authenticate with a CAC for a given computer, for the first time. Use of, for example a field replaced laptop computer that was not prepared with the user's CAC before shipment would be impossible to use without some form of direct access to Active Directory beforehand. Other remedies include establishing contact with
4312-463: The Credit Union Journal reported on the support costs associated with two-factor authentication. In their report, software certificates and software toolbar approaches were reported to have the highest support costs. Research into deployments of multi-factor authentication schemes has shown that one of the elements that tend to impact the adoption of such systems is the line of business of
4410-602: The FIDO Alliance and the World Wide Web Consortium (W3C), have become popular with mainstream browser support beginning in 2015. A software token (a.k.a. soft token ) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer , laptop , PDA , or mobile phone and can be duplicated. (Contrast hardware tokens , where
4508-407: The assembly line , RFID-tagged pharmaceuticals can be tracked through warehouses, and implanting RFID microchips in livestock and pets enables positive identification of animals. Tags can also be used in shops to expedite checkout, and to prevent theft by customers and employees. Since RFID tags can be attached to physical money, clothing, and possessions, or implanted in animals and people,
4606-639: The client PC in order to make use of the token or smart card . This translates to four or five packages on which version control has to be performed, and four or five packages to check for conflicts with business applications. If access can be operated using web pages , it is possible to limit the overheads outlined above to a single application. With other multi-factor authentication technology such as hardware token products, no software must be installed by end-users. There are drawbacks to multi-factor authentication that are keeping many approaches from becoming widespread. Some users have difficulty keeping track of
4704-582: The railroad industry, RFID tags mounted on locomotives and rolling stock identify the owner, identification number and type of equipment and its characteristics. This can be used with a database to identify the type, origin, destination, etc. of the commodities being carried. In commercial aviation, RFID is used to support maintenance on commercial aircraft. RFID tags are used to identify baggage and cargo at several airports and airlines. Some countries are using RFID for vehicle registration and enforcement. RFID can help detect and retrieve stolen cars. RFID
4802-612: The DoD ID/EDIPI Number on their CAC will be the same as on their DD 1173 Uniformed Services Privilege and Identification Card (e.g., Dependent ID card). The front of the CAC is fully laminated, while the back is only laminated in the lower half (to avoid interference with the magnetic stripe). The CAC is said to be resistant to identity fraud, tampering, counterfeiting, and exploitation and provides an electronic means of rapid authentication. There are currently four different variants of CACs. The Geneva Conventions Identification Card
4900-572: The DoD switched to 2,048-bit encryption. Personnel with the older CACs had to get new CACs by the deadline. On October 1, 2012, all certificates encrypted with less than 2,048-bits were placed on revocation status, rendering legacy CACs useless except for visual identification. The CAC is designed to provide two-factor authentication : what you have (the physical card) and what you know (the PIN ). This CAC technology allows for rapid authentication, and enhanced physical and logical security. The card can be used in
4998-649: The French retailer Decathlon , customers perform self-checkout by either using a smartphone or putting items into a bin near the register that scans the tags without having to orient each one toward the scanner. Some stores use RFID-tagged items to trigger systems that provide customers with more information or suggestions, such as fitting rooms at Chanel and the "Color Bar" at Kendra Scott stores. Item tagging can also provide protection against theft by customers and employees by using electronic article surveillance (EAS). Tags of different types can be physically removed with
SECTION 50
#17330847179535096-684: The Linux realm. Some users are using the MUSCLE project combined with Apple's Apple Public Source Licensed Common Access Card software. Another approach to solve this problem, which is now well documented, involves the use of a new project, CoolKey, to gain Common Access Card functionality. This document is available publicly from the Naval Research Laboratory 's Ocean Dynamics and Predictions Branch. The CAC has two types of bar codes: PDF417 in
5194-651: The U.S. are defined in Homeland Security Presidential Directive 12 (HSPD-12). IT regulatory standards for access to federal government systems require the use of multi-factor authentication to access sensitive IT resources, for example when logging on to network devices to perform administrative tasks and when accessing any computer using a privileged login. NIST Special Publication 800-63-3 discusses various forms of two-factor authentication and provides guidance on using them in business processes requiring different levels of assurance. In 2005,
5292-509: The US$ 3–10 range. RFID can be used in a variety of applications, such as: In 2010, three factors drove a significant increase in RFID usage: decreased cost of equipment and tags, increased performance to a reliability of 99.9%, and a stable international standard around HF and UHF passive RFID. The adoption of these standards were driven by EPCglobal, a joint venture between GS1 and GS1 US , which were responsible for driving global adoption of
5390-503: The United States' Federal Financial Institutions Examination Council issued guidance for financial institutions recommending financial institutions conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing online financial services , officially recommending the use of authentication methods that depend on more than one factor (specifically, what
5488-571: The ability to store additional information through the incorporation of RFID chips or other contactless technology to allow seamless access to DoD facilities. The program that is currently used to issue CAC IDs is called the Real-Time Automated Personnel Identification System (RAPIDS). RAPIDS interfaces with the Joint Personnel Adjudication System (JPAS), and uses this system to verify that
5586-469: The account holder's computers in an attempt to steal their bank account credentials and phone numbers. Then the attackers purchased access to a fake telecom provider and set up a redirect for the victim's phone number to a handset controlled by them. Finally, the attackers logged into victims' online bank accounts and requested for the money on the accounts to be withdrawn to accounts owned by the criminals. SMS passcodes were routed to phone numbers controlled by
5684-624: The attackers and the criminals transferred the money out. An increasingly common approach to defeating MFA is to bombard the user with many requests to accept a log-in, until the user eventually succumbs to the volume of requests and accepts one. Many multi-factor authentication products require users to deploy client software to make multi-factor authentication systems work. Some vendors have created separate installation packages for network login, Web access credentials , and VPN connection credentials . For such products, there may be four or five different software packages to push down to
5782-414: The authenticity of the user's claim to that identity. Simple authentication requires only one such piece of evidence (factor), typically a password. For additional security, the resource may require more than one factor—multi-factor authentication, or two-factor authentication in cases where exactly two pieces of evidence are to be supplied. The use of multiple authentication factors to prove one's identity
5880-679: The barcode in the 1970s and 1980s. The EPCglobal Network was developed by the Auto-ID Center . RFID provides a way for organizations to identify and manage stock, tools and equipment ( asset tracking ), etc. without manual data entry. Manufactured products such as automobiles or garments can be tracked through the factory and through shipping to the customer. Automatic identification with RFID can be used for inventory systems. Many organisations require that their vendors place RFID tags on all shipments to improve supply chain management . Warehouse Management System incorporate this technology to speed up
5978-535: The box using the MUSCLE (Movement for the Use of Smartcards in a Linux Environment) project. The procedure for this was documented historically by the Naval Postgraduate School in the publication "CAC on a Mac" although today the school uses commercial software. According to the independent military testers and help desks, not all cards are supported by the open source code associated with Apple's work, particularly
SECTION 60
#17330847179536076-401: The candidate has passed a background investigation and FBI fingerprint check. Applying for a CAC requires DoD form 1172-2 to be filled out and then filed with RAPIDS. The system is secure and monitored by the DoD at all times. Different RAPIDS sites have been set up throughout military installations in and out of combat theater to issue new cards. On the front of the card, the background shows
6174-485: The card expires, or if the maximum number of re-tries of the PIN is reached. Based on the regulations for CAC use, a user on TAD / TDY must visit a RAPIDS facility to replace or unlock a CAC, usually requiring travel to another geographical location or even returning to one's home location. The CAC PMO has also created a CAC PIN Reset workstation capable of resetting a locked CAC PIN. For some DoD networks, Active Directory (AD)
6272-431: The card through a magnetic stripe reader, much like a credit card. The magnetic stripe is actually blank when the CAC is issued. However, its use is reserved for localized physical security systems. The magnetic stripe was removed first quarter 2018. The integrated circuit chip (ICC) contains information about the owner, including the PIN and one or more PKI digital certificates. The ICC comes in different capacities, with
6370-519: The client computer. They typically use a built-in screen to display the generated authentication data, which is manually typed in by the user. This type of token mostly uses a OTP that can only be used for that specific session. Connected tokens are devices that are physically connected to the computer to be used. Those devices transmit data automatically. There are a number of different types, including USB tokens, smart cards and wireless tags . Increasingly, FIDO2 capable tokens, supported by
6468-492: The credentials are stored on a dedicated hardware device and therefore cannot be duplicated, absent physical invasion of the device). A soft token may not be a device the user interacts with. Typically an X.509v3 certificate is loaded onto the device and stored securely to serve this purpose. Multi-factor authentication can also be applied in physical security systems. These physical security systems are known and commonly referred to as access control. Multi-factor authentication
6566-457: The device (i.e. something that only the individual user knows) plus a one-time-valid, dynamic passcode, typically consisting of 4 to 6 digits. The passcode can be sent to their mobile device by SMS or can be generated by a one-time passcode-generator app. In both cases, the advantage of using a mobile phone is that there is no need for an additional dedicated token, as users tend to carry their mobile devices around at all times. Notwithstanding
6664-437: The field produced by the reader by changing the electrical loading the tag represents. By switching between lower and higher relative loads, the tag produces a change that the reader can detect. At UHF and higher frequencies, the tag is more than one radio wavelength away from the reader, requiring a different approach. The tag can backscatter a signal. Active tags may contain functionally separated transmitters and receivers, and
6762-456: The front and Code 39 in the rear. 0=Dependent CH=Child There are also some security risks in RFID. To prevent theft of information in RFID, in November 2010, 2.5 million radio frequency shielding sleeves were delivered to the DoD, and another roughly 1.7 million more were to be delivered the following January 2011. RAPIDS ID offices worldwide are required to issue a sleeve with every CAC. When
6860-418: The intranet by using public broadband Internet and then VPN to the intranet, or even satellite Internet access via a VSAT system when in locations where telecommunications is not available, such as in a natural disaster location. RFID Radio-frequency identification ( RFID ) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of
6958-411: The mobile operator's operational security and can be easily breached by wiretapping or SIM cloning by national security agencies. Advantages: Disadvantages: The Payment Card Industry (PCI) Data Security Standard, requirement 8.3, requires the use of MFA for all remote network access that originates from outside the network to a Card Data Environment (CDE). Beginning with PCI-DSS version 3.2,
7056-466: The more recent versions issued at 64 and 144 kilobytes (KB). The CAC can be used for access into computers and networks equipped with one or more of a variety of smartcard readers. Once inserted into the reader, the device asks the user for a PIN. Once the PIN is entered, the PIN is matched with the stored PIN on the CAC. If successful, the EDIPI number is read off the ID certificate on the card, and then sent to
7154-471: The network or working remotely, a more secure MFA method such as entering a code from a soft token as well could be required. Adapting the type of MFA method and frequency to a users' location will enable you to avoid risks common to remote working. Systems for network admission control work in similar ways where the level of network access can be contingent on the specific network a device is connected to, such as Wi-Fi vs wired connectivity. This also allows
7252-452: The newer ( PIV -compliant) cards. Also, the gold contacts on the ICC can become dirty and require cleaning with either solvents or a rubber pencil eraser. Fixing or replacing a CAC typically requires access to a RAPIDS facility, causing some practical problems. In remote locations around the world without direct Internet access or physical access to a RAPIDS facility, a CAC is rendered useless if
7350-451: The organization number is assigned by the EPCGlobal consortium. The next 24 bits are an object class, identifying the kind of product. The last 36 bits are a unique serial number for a particular tag. These last two fields are set by the organization that issued the tag. Rather like a URL , the total electronic product code number can be used as a key into a global database to uniquely identify
7448-445: The organization that deploys the multi-factor authentication system. Examples cited include the U.S. government, which employs an elaborate system of physical tokens (which themselves are backed by robust Public Key Infrastructure ), as well as private banks, which tend to prefer multi-factor authentication schemes for their customers that involve more accessible, less expensive means of identity verification, such as an app installed onto
7546-512: The phone is no longer something only the user has. The major drawback of authentication including something the user possesses is that the user must carry around the physical token (the USB stick, the bank card, the key or similar), practically at all times. Loss and theft are risks. Many organizations forbid carrying USB and electronic devices in or out of premises owing to malware and data theft risks, and most important machines do not have USB ports for
7644-443: The phrase "U.S. DEPARTMENT OF DEFENSE" repeated across the card. A color photo of the cardholder is placed on the top left corner. Below the photo is the name of the cardholder. The top right corner displays the expiration date. Other information on the front includes (if applicable) the holders's: pay grade , rank, and federal identifier. A PDF417 stacked barcode is displayed on the bottom left corner. An integrated circuit chip (ICC)
7742-585: The popularity of SMS verification, security advocates have publicly criticized SMS verification, and in July 2016, a United States NIST draft guideline proposed deprecating it as a form of authentication. A year later NIST reinstated SMS verification as a valid authentication channel in the finalized guideline. In 2016 and 2017 respectively, both Google and Apple started offering user two-step authentication with push notifications as an alternative method. Security of mobile-delivered security tokens fully depends on
7840-473: The possibility of reading personally-linked information without consent has raised serious privacy concerns. These concerns resulted in standard specifications development addressing privacy and security issues. In 2014, the world RFID market was worth US$ 8.89 billion , up from US$ 7.77 billion in 2013 and US$ 6.96 billion in 2012. This figure includes tags, readers, and software/services for RFID cards, labels, fobs, and all other form factors. The market value
7938-528: The radio energy transmitted by the reader. However, to operate a passive tag, it must be illuminated with a power level roughly a thousand times stronger than an active tag for signal transmission. Tags may either be read-only, having a factory-assigned serial number that is used as a key into a database, or may be read/write, where object-specific data can be written into the tag by the system user. Field programmable tags may be write-once, read-multiple; "blank" tags may be written with an electronic product code by
8036-423: The range of the RFID reader and read them simultaneously. RFID systems can be classified by the type of tag and reader. There are 3 types: Fixed readers are set up to create a specific interrogation zone which can be tightly controlled. This allows a highly defined reading area for when tags go in and out of the interrogation zone. Mobile readers may be handheld or mounted on carts or vehicles. Signaling between
8134-410: The reader and the tag is done in several different incompatible ways, depending on the frequency band used by the tag. Tags operating on LF and HF bands are, in terms of radio wavelength, very close to the reader antenna because they are only a small percentage of a wavelength away. In this near field region, the tag is closely coupled electrically with the transmitter in the reader. The tag can modulate
8232-484: The reader broadcasts an initialization command and a parameter that the tags individually use to pseudo-randomly delay their responses. When using an "adaptive binary tree" protocol, the reader sends an initialization symbol and then transmits one bit of ID data at a time; only tags with matching bits respond, and eventually only one tag matches the complete ID string. Both methods have drawbacks when used with many tags or with multiple overlapping readers. "Bulk reading"
8330-425: The receiving and delivery of the products and reduce the cost of labor needed in their warehouses. RFID is used for item-level tagging in retail stores. This can enable more accurate and lower-labor-cost supply chain and store inventory tracking, as is done at Lululemon , though physically locating items in stores requires more expensive technology. RFID tags can be used at checkout; for example, at some stores of
8428-575: The recent CACNG or CAC-NG PIV II CAC cards. Third party support for CAC Cards on the Mac are available from vendors such as Centrify and Thursby Software. Apple's Federal Engineering Management suggest not using the out-of-the-box support in Mac OS X 10.6 Snow Leopard but instead supported third party solutions. Mac OS X 10.7 Lion has no native smart card support. Thursby's PKard for iOS software extends CAC support to Apple iPads and iPhones. Some work has also been done in
8526-482: The same reason. Physical tokens usually do not scale, typically requiring a new token for each new account and system. Procuring and subsequently replacing tokens of this kind involves costs. In addition, there are inherent conflicts and unavoidable trade-offs between usability and security. Two-step authentication involving mobile phones and smartphones provides an alternative to dedicated physical devices. To authenticate, people can use their personal access codes to
8624-414: The tag need not respond on a frequency related to the reader's interrogation signal. An Electronic Product Code (EPC) is one common type of data stored in a tag. When written into the tag by an RFID printer, the tag contains a 96-bit string of data. The first eight bits are a header which identifies the version of the protocol. The next 28 bits identify the organization that manages the data for this tag;
8722-572: The time required is greater. A group of tags has to be illuminated by the interrogating signal just like a single tag. This is not a challenge concerning energy, but with respect to visibility; if any of the tags are shielded by other tags, they might not be sufficiently illuminated to return a sufficient response. The response conditions for inductively coupled HF RFID tags and coil antennas in magnetic fields appear better than for UHF or SHF dipole fields, but then distance limits apply and may prevent success. Under operational conditions, bulk reading
8820-403: The transmission and sensor data, respectively. RFID tags can be either passive, active or battery-assisted passive. An active tag has an on-board battery and periodically transmits its ID signal. A battery-assisted passive tag has a small battery on board and is activated when in the presence of an RFID reader. A passive tag is cheaper and smaller because it has no battery; instead, the tag uses
8918-565: The use of MFA is required for all administrative access to the CDE, even if the user is within a trusted network. The second Payment Services Directive requires " strong customer authentication " on most electronic payments in the European Economic Area since September 14, 2019. In India, the Reserve Bank of India mandated two-factor authentication for all online transactions made using
9016-405: The user, and are usually biometric methods, including fingerprint , face , voice , or iris recognition. Behavioral biometrics such as keystroke dynamics can also be used. Increasingly, a fourth factor is coming into play involving the physical location of the user. While hard wired to the corporate network, a user could be allowed to login using only a pin code. Whereas if the user was off
9114-410: The user. The RFID tag receives the message and then responds with its identification and other information. This may be only a unique tag serial number, or may be product-related information such as a stock number, lot or batch number, production date, or other specific information. Since tags have individual serial numbers, the RFID system design can discriminate among several tags that might be within
9212-633: Was a covert listening device , rather than an identification tag, it is considered to be a predecessor of RFID because it was passive, being energised and activated by waves from an outside source. Similar technology, such as the Identification friend or foe transponder , was routinely used by the Allies and Germany in World War II to identify aircraft as friendly or hostile. Transponders are still used by most powered aircraft. An early work exploring RFID
9310-544: Was an early adopter in 2011 at the PGA Golf Championships , and by the 2013 Geneva Motor Show many of the larger brands were using RFID for social media marketing. To prevent retailers diverting products, manufacturers are exploring the use of RFID tags on promoted merchandise so that they can track exactly which product has sold through the supply chain at fully discounted prices. Yard management, shipping and freight and distribution centers use RFID tracking. In
9408-484: Was granted to David Everett, John Frech, Theodore Wright, and Kelly Rodriguez. A radio-frequency identification system uses tags , or labels attached to the objects to be identified. Two-way radio transmitter-receivers called interrogators or readers send a signal to the tag and read its response. RFID tags are made out of three pieces: The tag information is stored in a non-volatile memory. The RFID tag includes either fixed or programmable logic for processing
9506-929: Was passive, powered by the interrogating signal, and was demonstrated in 1971 to the New York Port Authority and other potential users. It consisted of a transponder with 16 bit memory for use as a toll device . The basic Cardullo patent covers the use of radio frequency (RF), sound and light as transmission carriers. The original business plan presented to investors in 1969 showed uses in transportation (automotive vehicle identification, automatic toll system, electronic license plate , electronic manifest, vehicle routing, vehicle performance monitoring), banking (electronic chequebook, electronic credit card), security (personnel identification, automatic gates, surveillance) and medical (identification, patient history). In 1973, an early demonstration of reflected power (modulated backscatter) RFID tags, both passive and semi-passive,
9604-520: Was performed by Steven Depp, Alfred Koelle and Robert Freyman at the Los Alamos National Laboratory . The portable system operated at 915 MHz and used 12-bit tags. This technique is used by the majority of today's UHFID and microwave RFID tags. In 1983, the first patent to be associated with the abbreviation RFID was granted to Charles Walton . In 1996, the first patent for a batteryless RFID passive tag with limited interference
#952047