Modern authentication for the Department of the Air Force

Using the Common Access Card (CAC) for authentication is not practical or possible for every U.S. Air Force Airman, Guardian, employee, contractor and mission partner. Guidance such as the National Security Memorandum/ NSM-8, and more importantly, cyber attacks from nation-states to criminal organizations has mandated the DoD to deploy phishing-resistant authentication as part of a Zero Trust Architecture and created requirements to modernize authentication across the entire Department of Defense (DoD).

While CAC meets the highest assurance of multi-factor authentication (MFA) when using DoD Public Key Infrastructure (PKI), there are a growing number of scenarios that have the same assurance requirements where CAC is not available or practical. These scenarios include secure access for telework, BYOAD (Bring Your Own Approved Devices), non-CAC eligible coalition and mission partner environments, air-gapped/isolated networks, shared devices and tactical scenarios overseas where relying on a CAC may inadvertently reveal identities. For example, CAC reader support for mobile phones or tablets is limited or non existent, and teleworking with a CAC reader leaves the device open to potential malware.

There is a growing need for cost-effective, turnkey solutions to address the needs of today and future-proof against the authentication needs of tomorrow— including those currently under DoD policy review such as Fast Identity Online (FIDO) authentication standards.

Securing non CAC-eligible users

Non-CAC eligible personnel such as dependents, Non-appropriated Funds employees and other users that require 3rd party access still require secure access to Department of Air Force (DAF) systems. To meet these needs, the DoD approved the YubiKey as one of three alternate MFA solutions when PKI is infeasible—a FIPS 140-2 validated alternative to the CAC that allows non-CAC personnel or personal non-GFE devices in a BYOD environment to securely authenticate to DoD networks.

Securing SCIFs & air-gapped networks

Air-gapped networks are closed off from the outside, making it difficult to authenticate users using data sent over a network. Many air-gapped systems still use a username and password or a combination of passwords and a digital identity. YubiKeys ensure that air-gapped networks stay secured against breaches by providing phishing-resistant MFA that works well in isolated network and mobile restricted environments as they don’t need any network connectivity, cellular connection, or batteries to work. YubiKeys are compatible with Cross Domain Solution (CDS) and Multi-Level Security (MLS), and users can be authenticated without transfer of information.

Securing mission partners

Coalition and “Five Eyes” (FVEY) mission partners use PKI credentials to authenticate to DoD systems, but mission partners are not always CAC-eligible. YubiKey is a solution that the DAF can uniquely manage at the unit level to support access to the data needed to conduct missions, support strong and phishing resistant authentication for mission partners at the tactical edge.

A YubiKey, as a multi-protocol authenticator, provides flexibility and personalization to coalition networks that require DoD credentials for mission partners. Coalition networks can generate and manage local credentials, provision them to a YubiKey, and issue them to mission partners requiring access to DoD resources within a respective Area of Responsibility. This will ensure that only locally issued credentials can be used for authentication within the respective Combatant Command network. Additionally, options are available for the type of managed credentials—tactical PKI supports certificate-based credentials while other Identity Credential and Access Management (ICAM) components can issue FIDO2 credentials. Both types of credentials meet phishing-resistant authentication requirements.

Securing privileged users

Ensuring secure, phishing-resistant user access to classified, secret and personal information is critical for those privileged users that cannot use the CAC to authenticate. The YubiKey offers the highest-assurance alternate authentication that can be used to authenticate privileged users to both legacy and modern applications. The YubiKey’s hardware design enables the authentication secret to be stored on a secure hardware chip that cannot be copied or exported, offering the highest security for authenticating privileged users. The YubiKey can be used for step-up authentication for high-security applications

DoD Microsoft 365 tenant admins cannot use their primary DoD credentials to authenticate for daily tasks and maintenance. Microsoft Azure supports the enrollment of a YubiKey as a FIDO2 authenticator. Consequently, admins are able to quickly enroll a YubiKey for their privileged user roles to meet phishing-resistant authentication requirements. A YubiKey as a FIDO2 token, uses public/private key pairs bound to the tenant URL, to ensure strong authentication is met.

Securing office workers

Desktop Anywhere is a secure virtual machine that can be accessed from any commercial Internet connection. This capability provides a consistent desktop experience for government civilians and servicemembers, whether physically in the office or working remote. The YubiKey supports this amazing capability by delivering registered participants a simple authentication experience no matter the device used to start the remote session.

Securing telework & BYOAD

Supporting teleworkers and BYOD using the CAC creates complexity. While password-based authentication may simplify remote access, relying on single-factor authentication does not satisfy zero trust security and phishingresistant authentication requirements.

Fortunately, YubiKey works with leading Identity and Access Management (IAM) and Identity Provider (IdP) solutions to enable phishing-resistant access for remote and hybrid employees without the need for supporting devices. For Guardians, Active, Reserve, and National Guard Airmen, this offers reliable, flexible, and trusted access to DAF resources using Purebred derived certificates. Enabling capabilities, such as Desktop Anywhere that make it easier for service members to access services from home, no longer need to be reliant on a CAC and a separate CAC reader. In cases where remote and hybrid workers are sent GFE devices, the YubiKey can also be used as a portable root of trust to ensure the device hasn’t been compromised enroute.

YubiKeys have the flexibility to be used with a wide range of mobile devices and unmanaged and managed workstations, including Chromebooks and personal phones. When a YubiKey has been provisioned with DoD Purebred credentials, it becomes a portable root of trust for service members’ identities, making it easier to authenticate regardless of the device.

Securing shared devices & workstations

Airmen, Guardians, DoD civilians and contractors that use shared workstations and shared devices such as Electronic Flight Bags (EFBs) and eTools iPads, can benefit from using the YubiKey as a portable root of trust for secure authentication. They can authenticate to the network using the trusted Smart Card credential on their YubiKey, proving they are a trusted user.

A single YubiKey works across multiple shared devices including desktops, laptops, mobile, tablets, and notebooks, enabling users to utilize the same key as they navigate across devices. YubiKeys are also easily re-programmed, making them suitable for rotating-shift and temporary users across these environments.

The use of shared workstations and mobile devices are increasingly common across the DAF. By affording a pool of resources for maintainers and aircrew, the DAF can lower the total cost of ownership of devices. However, shared devices still have the challenge of supporting multiple users, each requiring DoD credentials for authentication. By shifting the storage of the credentials from the device to a hardware-based authenticator, like a YubiKey, each individual can be issued a security key for authentication on any of the shared devices. Users do not have to worry about grabbing the right devices matching their stored soft credentials.