Utilizing CAC and PIV Cards to Enforce Multi-Factor Authentication in Federal Government Agencies


The primary purpose of a Smartcard – known as the Common Access Card (CAC), or the Personal Information Verification (PIV) Card - is to provide a multi-factor authentication to a system using embedded integrated circuits, a username, and a corresponding complex password. The combination of a user’s possession of the card, knowledge of the username, and current password authenticates a user against a given system. The Smartcard itself must be available and valid, and inserted mechanically into a system such that the integrated circuits are active for the duration of the session. If it is removed, typical policies dictate that the session should be terminated immediately. Thus, the user and smartcard are the basis for authentication during the entire length of the session.

How to Enforce Least Privilege With CAC and PIV

Administering the BeyondTrust PowerBroker for Windows solution for least privilege enforcement does not require integration with CAC or PIV cards; therefore, being CAC or PIV compliant is not relevant. PowerBroker for Windows is designed to intercept a user’s launch of an application or operating system feature and modify the security token of the application to meet the privileges required for it to operate as designed. The process requires a user to be authenticated on the asset to launch applications and that only occurs once they login locally, from remote desktop session, or even a virtual desktop environment.