How the Military Services Use Multifactor Authentication in the Field

While users may have initially viewed multifactor authentication as an inconvenience, recent tech advancements have helped drive adoption of MFA solutions, says Bob O’Donnell, president and chief analyst at technology consulting firm TECHnalysis Research.

“We’ve had the addition in the past several years of significantly better biometrics — fingerprints, face recognition,” O’Donnell says. “A number of technologies have come together to allow the capabilities. We’ve also seen MFA support being integrated into more digital solutions. There is a much wider array of choices from commercially available systems.”

A Variety of MFA Tools

U.S. Army soldiers, civilian employees and contractors, using the Army Azure Virtual Desktop, can now turn their personal laptop, desktop or tablet into a Windows 11 virtual machine and access the Army’s network remotely.

Users log in with their Army 365 credentials; the Army can’t access personal data on the device during the encrypted transmission, and users can’t download and store government data.

Okta introduced Okta for U.S. Military in 2022, a cloud-native identity environment that was built on Amazon’s AWS GovCloud for DoD Controlled Unclassified Information data, which requires Impact Level Four protection.

Users with or without a Common Access Card — the standard ID for uniformed, active-duty service personnel, which provides building and DOD computer system entry — can securely access mission-relevant resources across different platforms and devices, Okta says.

In addition to the CAC, military branches may use other physical hardware items, such as RSA tokens, to secure sensitive and critical networks, says Forrester Senior Analyst Carlos Rivera, who previously served in the Air Force.

“It’s something you keep on you all the time,” Rivera says. “Nobody else can see or access this PIN; only you can. When you’re getting access, there’s less chance of it being compromised, unless the card is lost or stolen.”

Like the CAC, Yubico’s YubiKey physical hardware device — which the company says has been implemented within the Army, Navy, Air Force and Marines — doesn’t require a Wi-Fi connection to work. Compatible apps such as Microsoft Authenticator and Google Authenticator store a large number of keys and codes so they’re ready for use, Stanger says.

“The YubiKey does updates every so often, so you really don’t need that kind of connectivity,” he says. “There’s nothing wrong with having physical devices you hold that are separate; what if your mobile phone doesn’t have connectivity where you are?”

Using Unique Login Conditions

With work that can encompass both field operations and sensitive information, enabling secure remote access can be an important but complicated target for the armed services.

“With the Navy, you’ve got submarines that are often off the grid,” Stanger says. “The Marines are often in very rough-and-ready environments.”

Hackers have also shown an interest in disrupting command and control capabilities in military situations. “They’re looking to behead a particular effort or a military implementation and make it difficult to communicate, get certain things done or make good decisions,” he says.

As an Air Force combat communication specialist handling warfighter network-related voice services, Rivera’s deployments ranged from supporting ad-hoc missions for more than a year to tactical short-term special operation scenarios.

MFA can potentially be used to help the armed services meet today’s fast-paced mobile warfighting needs, letting them set up access to resources quickly — and in unfriendly environments where a base could be overrun, making a speedy exit, Rivera says.

“That’s where multifactor authentication can come into play,” he says. “As long as technical equipment is set up, as soon as the satellite signal is grabbed, it’s a zero-trust provisioning kind of thing. Users can just access the resources they need, based on the mission. You’re authenticated for that time frame, and that’s it.”

Click the banner below for the latest federal IT and cybersecurity insights.

The Importance of Infrastructure Planning

Deploying MFA solutions as part of a zero-trust architecture may present certain challenges, such as a need to upgrade older systems to support the technology, Stanger says. Determining how to introduce the functionality can also be critical.

“There are unknown situations; for example, they realize there’s a department or set of troops we didn’t anticipate,” he says. “A lot of these rollouts take much longer than you’d think because folks have exceptions that were not discussed in the vendor or high-level software rollout meeting.”

A growing interest in identity management has “bubbled up over the past several years and clearly has a lot of value in the military,” O’Donnell says. Utilizing a centralized solution can allow the armed services to provide single sign-on privileges, which could prevent MFA measures from feeling cumbersome.

“The goal is to reduce the level of friction users experience,” Rivera says. “You want to create a centralized single source of truth and leverage the multifactor authentication assigned by the organization. Army personnel accessing an Air Force network should be a seamless process; it should just carry over the identity that was already defined within the Army architecture.”

UP NEXT: The Office of Justice Systems enhanced services with Okta Identity Cloud.

External parties’ authentication practices are another consideration. The DOD Cybersecurity Maturity Model Certification program, established in October 2024, requires defense contractors and subcontractors the department works with to meet certain security criteria, based on the type of Controlled Unclassified Information and other items they’ll be handling.

“They need to have a measure of multifactor authentication in place,” Rivera says. “That’s the DOD’s way of making sure it holds that workforce accountable for meeting the same level of requirements and security the DOD has to apply.”

Ideally, he says, other parties’ access to DOD data should have an expiration date.

“You’re starting to see more commercial off-the-shelf support in DOD work,” Rivera says. “These tools integrate with an identity access management provider to create more granular policies.”