
It’s Time to Plan for a Future Beyond Passwords - ohjeez
https://www.forbes.com/sites/waynerash/2019/11/21/its-time-to-plan-for-a-future-beyond-passwords/#24363ee72e7d
======
rkeene2
The executive branch of the US Government got rid of passwords a long time ago
as part of Homeland Security Presidential Directive 12 (HSPD-12) of August of
2004. Almost all agencies within the executive branch switched to using
Personal Identification and Verification (PIV) smartcards, which have X.509v3
certificates issued by the Federal PKI (FPKI) and RSA private keys. The US
Department of Defense was already using Common Access Cards (CAC) which were
very similar to the PIV cards, and after NIST standardized PIV as NIST SP
800-73, the DOD updated their CACs to be PIV-compliant.

WebAuthn/U2F are all newer than the migration to PIV (and they are
compatible). I maintain PIV/CAC middleware called CACKey (
[https://cackey.rkeene.org](https://cackey.rkeene.org) ) and I’ve been
thinking of adding WebAuthn support.

The DOJ should be a part of the executive branch of the US Government so they
should not be using passwords, and their statistics for HSPD-12 compliance
looks pretty good: [https://www.justice.gov/archives/us-hspd-12-piv-card-
issuanc...](https://www.justice.gov/archives/us-hspd-12-piv-card-issuance-
statistics)

So, why they had passwords is interesting, but it is (in my experience) an
anomaly.

