What’s preventing more rapid uptake of integrating with the CAC system? I can use my CAC when going through TSA for ID (and verification is sub 10 seconds) but other agencies keep dragging their feet.
It seems to be laziness on the part of the IT system makers. There are (mostly) standardized ways to authenticate a CAC and associate it with a user for an information system. But people seem to prefer to roll their own. Either using traditional username/password combos, or a worse solution.
The worse one is this (seen a few times): Username/password and then you register your CAC with it. They only check the CAC itself for the cert expiration date. When it does finally expire (or gets revoked, say you need a new one early like happened to me a couple times, not to loss just became unreliable in the CAC reader), then you have to use the username/password combo (the password has been getting updated every 60-90 days during all this time) and register your new CAC.
But, since they aren't checking revocation data a stolen CAC + PIN (say it's weak, beaten out of you, or they observe you using it) even revoked would still be able to authenticate against that system until the cert expires or the admin (usually) manually removes the revoked CAC.
As an IAM/trust systems enthusiast with a passing interest in the CAC system (and tangentially, Login.gov), this is disappointing to hear. Thanks for the context. I’ll keep my eye out for opportunities to contribute to improving the situation (USDS or 18F).
