More than 5.4 million Personal Identity Verification (PIV) and Common Access Cards (CAC) have been deployed to US government employees and contractors. These cards allow physical access to federal facilities, but their use to authenticate logical access to government information systems is uneven, with deployment rates across agencies ranging from 0 to 95 percent. Surveys of US Departments of Defense and Commerce employees show that using these smart cards for two-factor authentication results in improved usability and security. The authors argue that public-key infrastructure-based systems are likely to provide more secure and more usable authentication than other two-factor approaches, including combining strong passwords with a physical token such as a cell phone or time-based hardware identity device.