Security Forces Airman scanning CAC with DBIDS device
Posted in CAC Guides Military Evaluations Support

CAC on iPhone and Android: Mobile Access Options for DoD

John Bigley

Mobile CAC: Your Options for iPhone and Android

Can you use your CAC on a smartphone? The short answer is “it depends.” Mobile CAC access has improved significantly, but it’s still not as seamless as desktop authentication. This guide covers what works, what doesn’t, and what to expect when accessing DoD resources from your mobile device.

The Current State of Mobile CAC

DoD has been pushing derived credentials as the primary mobile authentication method. Instead of physically connecting your CAC to your phone, derived credentials store a cryptographic certificate on your device that’s linked to your CAC identity.

The Purebred app manages derived credentials for DoD. It works with approved mobile device management (MDM) solutions and is the official path forward for mobile CAC authentication. However, Purebred requires organizational deployment—you can’t just download it from the App Store.

If your organization hasn’t deployed Purebred, your options become more limited.

iPhone CAC Options

Derived Credentials (Purebred): If your organization supports it, this is the cleanest solution. Credentials are stored in the iPhone’s secure enclave, and supported DoD apps can authenticate without additional hardware.

Lightning/USB-C CAC Readers: Hardware readers that connect to your iPhone do exist. Products like the Thursby SubRosa or Identiv uTrust work with specific DoD applications. However, support is app-dependent—Safari won’t magically support CAC with a connected reader.

For these to work, you need:

  • A compatible reader with Lightning or USB-C connector
  • Apps specifically coded for smart card reader support
  • Proper DoD certificates installed in the app or iOS keychain

General web browsing with CAC on iPhone remains limited. Most users find derived credentials or using a laptop is more practical than fighting with hardware readers.

Android CAC Options

Android offers more flexibility due to its USB OTG (On-The-Go) support, which allows standard USB devices to connect via adapter.

USB OTG with Standard Readers: You can connect an SCR3310 or ACR39U to Android using a USB-C OTG adapter. Android recognizes these as USB smart card readers natively. However, app support varies—Chrome on Android doesn’t support smart card authentication like desktop Chrome does.

Specific DoD Apps: Some DoD mobile apps are built with smart card reader support. Check with your organization’s mobility team about which apps support connected CAC readers.

Samsung DeX: Some Samsung devices in DeX mode provide a more desktop-like experience where CAC readers work more reliably with supported applications.

Derived Credentials: Purebred is available for Android and remains the recommended approach when organizationally supported.

What Works Well on Mobile

Email (with derived credentials): Apps like BlackBerry Work, MobileIron Email, and Microsoft Outlook (when properly configured) support CAC-based or derived credential authentication for DoD email.

Organization-specific apps: Many DoD organizations deploy custom apps that include CAC or derived credential support. Check your organization’s app catalog.

VPN access: Some VPN clients support smart card or derived credential authentication, enabling secure access to DoD networks from mobile.

What Doesn’t Work Well

General web browsing: Accessing arbitrary DoD PKI-enabled websites from mobile browsers with CAC authentication is problematic. Most mobile browsers lack smart card support.

Desktop site functionality: Even if you can authenticate, many DoD websites aren’t optimized for mobile and may be unusable on phone screens.

Plug-and-play experience: Don’t expect to buy a reader, connect it, and have everything work. Mobile CAC requires specific apps and configuration.

Setting Realistic Expectations

Mobile CAC is best viewed as a supplement to desktop access, not a replacement. For quick email checks or specific mobile-optimized applications, it works. For full DoD website access or complex transactions, use a laptop.

If mobile access is critical for your mission, work with your organization’s IT department to deploy derived credentials properly. Ad-hoc solutions with hardware readers are frustrating and unreliable for daily use.

Security Considerations

Your phone is more likely to be lost or stolen than your CAC. Derived credentials include protections—device PIN required, remote wipe capability—but understand the risk profile differs from traditional CAC usage.

If you use hardware readers with mobile, treat the phone + reader + CAC combination with the same security posture as a laptop with CAC inserted. Don’t leave them unattended together.

Mobile CAC access continues evolving. Check with your organization periodically for new supported solutions—what doesn’t work today may be supported next year as DoD mobility initiatives mature.

John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.

You May Also Like

More From Author

Professional comparison chart showing different CAC reader models and specifications

SCR3310 vs. ACR39U: Which CAC Reader Should You Buy?

Leave a Reply

Your email address will not be published. Required fields are marked *