Yubico and Straxis enable secure access to protected DOD websites and services

Yubico and Straxis launched a new Secure Web browsing application called MilSecure Mobile. This application can be adopted by any Defense Department (DOD) organization to enable secure access to protected DOD websites and services by service members and government employees on their personal mobile devices using the new YubiKey Secure Web feature.

The United States Air Force will be the first military service to integrate the Secure Web feature into its Air Force Connect mobile app, which was launched in 2019. The integration of the Secure Web feature will be a needed upgrade to modernize its authentication technologies and practices.

“Two-factor authentication with CAC-derived credentials is the next logical step in making the Air Force Connect mobile app more useful for Airmen,” said Bob Everdeen, chief of Air Force public web. “I’m excited to see the results from the current round of enhancements of this important, next-level feature.”

Yubico and Straxis have been working together since 2019 to create a secure web browsing experience to ensure that servicemembers’ sensitive information is protected by using a seamless login process.

“Enabling and optimizing the workforce, especially the warfighters and those conducting exercises, deployment missions, and domestic military operations has been a priority for Yubico,” said Alex Antrim, Yubico senior solutions engineer and retired Navy Senior Chief Petty Officer. “By leveraging YubiKeys with MilSecure Mobile on personal mobile phones, this announcement reinforces the goal to enable secure access to the U.S. DOD websites – whether that’s stopping for gas, traveling to the next duty station or when service members are not in their office.”

YubiKeys support multiple phishing-resistant authentication protocols such as FIDO2/WebAuthn, U2F and Smart Card (PIV), offering a bridge to passwordless authentication for enterprises and government agencies of all sizes. The YubiKey FIPS Series is approved to be provisioned with Purebred derived credentials.

A first of its kind MilSecure Mobile app with YubiKey Secure Web browsing feature, users will benefit by being able to securely authenticate into DOD Common Access Card (CAC)-enabled sites while on the go with their own personal devices to perform tasks such as viewing DOD email, human resources information, and medical applications to move necessary workflow impacting communication, mission and medical readiness requirements that positively impact being able to balance personal, professional, family and military worklife, and personnel retention.

MilSecure Mobile highlights include:

• Secure browsing support with CAC derived credential and PIN authentication using a YubiKey
• Customizable library of DOD URL web services and interface without additional user configuration
• Unit-level Content Management System to customize URL web services listings
• Pre-loaded Root and Intermediate DOD certificates for CAC-enabled website trust
• Built-in certificate management to support shared devices
• Support for Lightning, USB C, and Near Field Communication (NFC) connectivity
• Available for Android and iOS smartphones and tablets

“Since mobile phone operating systems do not have native, built-in Smart Card support, it makes it difficult for military service members to securely access DOD web services on mobile devices,” said Jason Christensen, lead developer, Straxis. “By partnering with Yubico on the Secure Web feature, we’re able to solve this by deploying MilSecure Mobile.”

Legacy forms of MFA, such as SMS and one-time passcodes (OTP), in conjunction with the continual rise of AI-based phishing, are proving to be an easy target that are vulnerable to cyber attacks.

While the U.S. DOD has traditionally relied on the CAC Smart Card form factor to hold DOD-issued certificates to authenticate to systems and web services, service members utilizing modern ways of working and personal devices to securely access DOD resources can do so with phishing-resistant multi-factor authentication technology using the YubiKey in a secure and simple way, while eliminating the need for external Smart Card readers and/or peripherals.

The MilSecure Mobile app leverages YubiKey’s modern phishing-resistant MFA to ensure Secure Web browsing is in place to protect its users.

“When I was a drilling Reservist, I struggled with using my Common Access Card with my modern smart phone to access U.S. military email, MyPay, and Defense Travel websites when not in a drilling status,” Antrim continued. “I was able to provision a FIPS YubiKey with DOD certs so I could access my email on my phone and made it easier to use my personal laptop to access DOD websites as well.”