ePassport vs CAC

ePassport vs CAC (Common Access Card)

An ePassport and a CAC card are both government-issued smart card credentials with biometric data and cryptographic security — but their purposes, data models, and trust ecosystems are entirely non-overlapping. The ePassportePassportApplicationPassport with embedded contactless chip.Click to view → is a travel document for border crossing; the CACCACIdentityUS DoD identification smart card.Click to view → is a workforce credential for DoD system access.

Overview

ePassport (ICAO Doc 9303) is a paper-and-plastic passport booklet with an embedded contactless chip (ISO 14443ISO 14443StandardStandard for contactless smart cards.Click to view →) storing biometric data: a facial image (mandatory), and optionally fingerprints and iris scans. The chip is protected by Basic Access Control (BACBACApplicationePassport security using MRZ data.Click to view →) or the stronger PACEPACEApplicationStrong ePassport authentication protocol.Click to view → protocol — the reader must optically scan the Machine Readable Zone (MRZ) to derive the session key before chip access is granted. The ePassport's PKI uses Passive Authentication (the issuing state signs the chip's data with its Document Signing Certificate) and Active Authentication to prove chip uniqueness. ePassports are issued to all citizens and are accepted at 195+ countries' borders.

CAC carries three PKI certificates (PIVPIVIdentityUS federal identity card standard.Click to view → Auth, Email Sign, Email Encrypt), a CHUID, barcode, and magnetic stripe. The CAC does not carry biometric data on the chip in the same sense as an ePassport — it carries facial image data for visual verification, but biometric matching is not performed by the card. The CAC's trust chain is the DoD PKI (DoD Root CA → Intermediate CAs), accepted only within DoD and connected federal systems. CAC is issued to ~3 million active users.

Key Differences

• Physical form: ePassport is a booklet; CAC is an ISO card-1 plastic card
• Interface: ePassport uses ISO 14443 contactless only; CAC uses ISO 7816ISO 7816StandardPrimary standard for contact smart cards.Click to view → contact (primary) and optionally contactless for physical access
• Biometric data: ePassport stores ICAO LDS biometric data groups (face, fingerprints); CAC does not store biometrics in ICAO format on chip
• Access control: ePassport chip requires BAC/PACE (MRZ-derived key) to prevent covert reading; CAC requires PIN for PKI operations
• Global acceptance: ePassport is accepted at all ICAO member state borders; CAC is accepted only at DoD facilities and systems
• Purpose: ePassport proves travel identity and citizenship; CAC proves DoD affiliation and enables logical/physical access
• PKI structure: ePassport uses ICAO CSCA/DSC hierarchy; CAC uses DoD PKI

Use Cases

ePassport is used for:

• International border crossing at automated eGate kiosks
• Identity verification for immigration processing
• Visa application submission (biometric data sharing under bilateral agreements)
• Consular services abroad

CAC is used for:

• Physical access to DoD facilities
• Login to DoD networks (NIPR, SIPR via Common Access Card reader)
• DoD email signing and encryption
• Contractor system access and procurement portals

Verdict

ePassport and CAC are parallel credentials with no functional overlap. A US service member travelling internationally carries both: the ePassport for border crossing and the CAC for base access and network login. Comparing them is akin to comparing a driving licence to a company ID badge — both are ID documents, but they operate in entirely different trust ecosystems with no interoperability by design.