Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

Mobile Liberation for Federal Government PIV & CAC Cards

Unlike the high tech government systems portrayed in spy movies, federal government agencies like the Pentagon, the Department of Defense (DoD) and public agencies are not at the bleeding edge of modern IT in all areas, particularly when it comes to the outdated PIV/CAC cards required to sign into systems. 

In 2001, the DoD first introduced Common Access Cards (CAC), a smart card used to prove identity and log on to systems, with no consolidated and interoperable ID management for civilian employees, reservists, active duty personal and contract workers. In 2006, the DoD launched an updated CAC adding Personal Identification Verification (PIV) capability as a next generation CAC solution. Today, the basic ability for workers and contractors to log into their super-secret systems is the same as it was in the early days of the internet, and the government has not kept up with technology advancements.

Back in 2013, Tony Montemarano, executive deputy director of the Defense Information Systems Agency (DISA) said, “We are really hitting hard on mobility [and identity protection]. Everything we are doing, every development activity has to show a mobile side to it.” 

The folks at the federal government who protect and serve are well-aware of the security and usability challengers of this outdated approach to IT security.

“We will use true multi-factor that actually does a couple of things for me — it gets me more agile because there is an overhead for CAC cards, not just cost overhead, but a time overhead, and in my business, it’s a location overhead. It’s really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your systems. It just doesn’t work well.”

-- The then Department of Defense Chief Information Officer Terry Halvorsen told the Federal News Network in 2016 

As more operations rely on smart devices and screens, using CAC and PIV alone is no longer a viable solution. “We have to move away from the CAC as a form factor,” shared Steve Wallace, DISA’s technical director, in 2017, noting that the CAC card doesn’t plug into a tablet.

The federal and military CAC and PIV systems are as ingrained into our federal systems as the American Social Security number—and are not exactly going away, but they are getting an Avengers makeover and being reimagined from the clunky hardware and ugly UI to modern mobile user credentialing utilizing multi-factor authentication (MFA) that is seamless and frictionless. It’s the kind of modernization that senior leaders in federal agencies have been working toward for years.

Duo Security is a mobile multi-factor authentication technology developed to solve exactly these problems for federal and government agencies. Duo believes that excellent cybersecurity should be accessible to all people and aims to “democratize security” so every device is protected on every platform with the ability to access any application securely utilizing our zero-trust (trust no user and no device that is not properly vetted) technology.

Duo Moves Compliant CAC/PIV Credentials to Mobile

Duo’s MFA supports rather than replaces CAC/PIV cards, keeping the cost to implement low.

Duo works as a mobile application on smartphones that users can self-register and administer using their government issued or BYOD device, making a large roll-out a snap with few barriers to adoption. It is as easy as installing any app from the app store.

With Duo’s single sign-on (SSO) login with a password and username, which triggers the Duo Mobile App to send a push notification (Duo Push). User’s can tap “accept” (or deny suspicious requests) and quickly complete the second-factor authentication process (2FA). Duo allows users authenticate into cloud and SaaS applications and access applications from mobile devices

Duo keeps agencies and users compliant with granular policy controls that allow admins the ability to set policies for:

  • Location-based access
  • Role-based access
  • Contextual access
  • App-specific access
  • Outdated applications and required updates
  • Endpoint control enforcement whether you have an MDM solution or not
  • Detecting and tracking every device on your network without using an agent
  • Notifying users who have not added password protection or biometrics or restricting them until they do 

All-In-One Solution

Imagine a single solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity. Duo and YubiKey have teamed up to offer a single elegant solution for all scenarios.

Duo + YubiKey

 Together, Duo and the YubiKey satisfy the government guidance on:

  • FedRAMP
  • DFARS/ NIST SP 800-171
  • NIST SP 800-63-3 AAL

Duo Security is proudly FedRAMP “In Process” on the FedRAMP Marketplace and adheres to NIST regulations for compliance for commercial alternatives to CAC/PIV cards. Federal and public agencies can buy Duo now.


Want to learn more? Watch this webinar on "How Mobile Will Replace Your CAC/PIV Cards"

Watch Webinar