DoD memo’s use cases clarify mission impact of new policies on PKI credentials, expanded authentication

For years, the Defense Department bounced back and forth between defining its primary authentication credential as DoD public key infrastructure or the Common Access Card, especially when it comes to the department’s unclassified networks.  

Referring to the CAC as the primary authenticator largely simplified credentialing, but it also effectively excluded alternative hardware tokens also capable of securely storing DoD-approved PKI credentials — sometimes even offering stronger access management.

Now, the Defense Department’s recent memo on multifactor authentication for unclassified and secret networks clarifies that the department’s PKI credential — not the plastic card that stores it — is the true primary verification of a user’s identity.

“I think this new memo and those conversations that helped with this new memo realized that they need to remove focus off of the hardware, the container — the card stock, in this case. That is not the thing that actually provides someone access. It’s the credential that’s stored on it,” Alex Antrim, senior solutions engineer at Yubico, told Federal News Network. “So once that clicked in those round table discussions, they removed focus from the container that holds the credential and put focus on the credential itself, regardless of what container that credential is stored on. And I think that’s very, very helpful for this space.” 

The memo makes it clear that the Defense Department has no plans to move away from PKI as for primary credentialing anytime soon. When PKI is available, particularly for CAC holders, the memo says it must be used. 

But the new policy approves newer technologies, such as FIDO2 passkeys, that can enable password-free, phishing-resistant authentication in scenarios where standard PKI authentication is not feasible. Earlier DoD guidance allowed a type of FIDO authentication called FIDO U2F, which still relied on usernames and passwords.

“Unsurprisingly, DoD did not just approve passkeys in general, so it’s not a bring-your-own-authenticator type approval. They still say a passkey with a specific technology,” said Adam Oliver, senior solutions engineer at Yubico. “Vendors will still need to come in, find an organization that’s going to want to get it approved and go through the processes defined in that memo to get it onto the list. But now that door is open.” 

It’s the latest development in longstanding debate about secure access management within DoD.

“Previously, if you brought up FIDO within DoD, the reactions would be varied. You get some people that were very excited about it as a newer, modern authentication method that’s also based on cryptography. But then you’d get people that would go, ‘No, no. PKI is the gold standard, period. We would never look at anything else,’” Oliver said. “And the memo, in those scenarios, does really define if a CAC holder gets a FIDO2 credential, how you bind that to that identity and make sure that the FIDO credential is deactivated based on certain things happening with the certificate, such as it expiring and being revoked.” 

Making the non-PKI use cases

Antrim said one of the highlights of the memo is a clear list of tables outlining use cases, personas and specific scenarios, providing DoD organizations clearer guidance on when and how to deploy approved non-PKI authentication alternatives.

“That has always been a challenge in the past where organizations were looking to innovate, and they could not get that clarity out of existing policies. [CAC] is cumbersome. It’s something I have to keep hold of. I can’t lose it. It is very challenging to get a new one,” Antrim said. “With these alternative authenticators listed in this new memo, it gives many more options to organizations that are looking to provide easier ways for service members to get access to critical mission data.” 

The memo also includes a number of use cases for individuals who do not hold a CAC, including foreign mission partners. In those environments, DoD has traditionally relied on identity federation, allowing partner nations to authenticate their own users and assert their identities back to DoD systems.

The new guidance provides options for authentication and instruction on access management when working with foreign mission partners. As one user example, the memo describes a combatant command that “owns and runs an information system specifically intended to rapidly engage foreign mission partners in nontraditional missions such as humanitarian assistance, disaster response, or stability operations.”

It’s a theoretical scenario with significant real-life implications.

“My perspective, at least from a former Navy service member, is the mission partner environment is an area that needs some innovation — and it has been handcuffed to either trying to issue Common Access Cards to foreign mission partners, which is near impossible, or using less-secure methods to hand out to foreign mission partners to get them onboarded into an environment to share critical mission data,” Antrim said.

“If you have joint operations with other mission partners and other allies, sharing mission data is critical. If you have to waste time trying to onboard that person or that unit into your environment, the mission suffers,” he added. “With these new technologies and the use cases, there’s clear guidance that says: If you are standing up an ICAM for a mission partner environment that needs to issue tokens to foreign mission partners so they can access secret, now you have a list of approved authenticators that supports that.” 

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.