| ... do you think that's the only way it applies ? Did you read it ? It says that no other method of authentication to US Government (exempting specifically national security systems) except for the approved method may be used. Since there are no passwords in the list of strong authenticators, it's not permitted. Here are the relevant sections pieced together so you can't miss it: Note "Mandatory" > establishing a mandatory, Government-wide standard for secure and
> reliable forms of identification issued by the Federal Government
> to its employees and contractors (including contractor employees) Note that the definition of the phrase used above excludes passwords: > "Secure and reliable forms of identification" for purposes of this
> directive means identification that (a) ...; (b) is strongly resistant
> to identity fraud, tampering, counterfeiting, and terrorist exploitation; This is the part that says they have 8 months after the August publication
of HSPD-12 to comply with the above, and specifically for US Government
computers (called Information Systems). > As promptly as possible, but in no case later than 8 months after the
> date of promulgation of the Standard, the heads of executive departments
> and agencies shall, to the maximum extent practicable, require the use
> of identification by Federal employees and contractors that meets the Standard
> in gaining [...] logical access to Federally controlled information systems.
> Departments and agencies shall implement this directive in a manner
> consistent with ongoing Government-wide activities, policies and
> guidance issued by OMB, which shall ensure compliance. So, upon... actually reading HSPD-12 there's no interpretation that can be made where passwords are permitted to access unclassified systems... aka, my original statement. You are wrong. |