E-Signing with Smart Cards in U.S. Government Agencies
When it comes to privacy and security of data, US government agencies use a Common Access Card (CAC) or a Personal Identity Verification Card (PIV) to manage access and authenticate government employees. Roughly the size of a credit card, CAC and PIV smart cards store data such as digital certificates, biometric information, photo, expiration date, government agency and department, and other information that identifies the smart card holder. When authenticating or accessing information, the government agency employee inserts their smart card in a card reader to securely authenticate themselves.
History of CAC and PIV Smart Cards
In the late 1990’s, Congress directed the Secretary of Defense to implement an Identity Management System for the Department of Defense (DoD) that would increase security and efficiency. A set of credentials was created whereby identity can easily be managed across all agencies which led to the creation of the Common Access Card (CAC). The CAC Card quickly became the standard and was issued to Active Military, DoD and contractors to the Government. The CAC then transitioned from a basic card to one leveraging Public Key Infrastructure (PKI), based on cryptography.
Around 2006, the Homeland Security Presidential Elective 12 (HSPD-12) was introduced, which provides guidance on how to implement the newly introduced Federal Information Processing Standard 201 (FIPS-201). Basically, this standard takes Identity Management to a new level, including provisions for cashless transaction.
This new standard is known today as a Personal Identity Verification Card (PIV). While these cards present some challenges to use (i.e.: using a card reader attached to every device you use), initiatives are underway to implement Soft Certificates, allowing for Derived Credentials. The Derived Credentials can be stored directly into a government issued device such as smartphones or tablets, eliminating the need to use the physical card.
E-Signing with CAC and PIV Smart Cards
OneSpan Sign is used by hundreds of government organizations including the US Army and the US Joint Chiefs of Staff. More than 1.6 million government users routinely e-sign forms and documents using a digital certificate that is stored on their CAC or PIV smart cards.
Government agencies are leveraging issued CAC and PIV smart cards to e-sign documents for many use cases such as e-contracting, procurement, Finance, and HR, just to name a few. As an example, USDA employees e-sign documents daily by simply inserting their LincPass smartcard into a slot on their keyboard or laptop. They then enter a 6-8 digit PIN. Once successfully authenticated, they can apply their e-signature to documents.
Here’s how it works:
E-Signing with CAC and PIV Smart Cards can be completed by following these easy steps:
- Insert your CAC or PIV card into your laptop, mobile device or smart card reader
- Access the document that requires your e-signature within OneSpan Sign
- When the document is displayed and ready to be signed, click the signature block then confirm your signature.
- The Certificate Selection dialog box appears. Select the appropriate certificate from the list. If prompted, enter a PIN code associated to the selected certificate. Once the PIN is confirmed, OneSpan Sign generates a hash of your information at the time of signing (name, date, time, IP address, certificate used to sign the document), along with a unique hash of the document itself. The result is a secure, tamper-sealed e-signed PDF with a detailed audit trail embedded directly into the document. What’s more, full non-repudiation of a signer using their smart card to e-sign documents in OneSpan Sign is guaranteed.
Check out the video tutorial below to see how you can easily e-sign documents with smart cards in OneSpan Sign. Download the whitepaper to learn more about other user authentication options available in OneSpan Sign.
Video: How to E-Sign Documents Using Smart Cards in OneSpan Sign