Avoid CAC Lockout

in CAC 7 min read

Understanding CAC Lockouts

A Common Access Card (CAC) lockout is one of the most frustrating experiences for military personnel and DoD civilians. When your CAC becomes locked, you lose access to DoD networks, email, and secured facilities until the issue is resolved. Understanding how lockouts happen and how to prevent them can save you significant time and hassle.

Security Padlock on Keyboard

How CAC Lockouts Happen

CAC lockouts occur when incorrect PIN attempts exceed the allowed threshold. The most common scenarios that lead to lockouts include:

  • Forgotten PIN: After leave, TDY, or extended time away from DoD systems, users sometimes forget their PIN
  • Muscle Memory Errors: Typing a previous PIN or a PIN from another card or account
  • Keyboard Issues: Caps Lock enabled, sticky keys, or number pad problems causing incorrect entries
  • Someone Else’s CAC: Accidentally using a spouse’s or colleague’s CAC with your PIN
  • System Glitches: Occasionally, system errors count failed attempts incorrectly
  • Rushed Entry: Quickly typing the wrong PIN under pressure or distraction

PIN Retry Limits and Consequences

Your CAC has strict security measures built into the chip itself:

Three-Strike Rule

You have exactly three attempts to enter your PIN correctly. After three consecutive incorrect attempts, your CAC becomes locked. This is a hardware-level lock stored on the card’s chip, not a network-based lock.

What Gets Locked

  • Digital Certificates: Your PIV authentication and email signing certificates become inaccessible
  • Building Access: Facilities using CAC for physical access will deny entry
  • Network Logon: Windows CAC logon and VPN authentication fail
  • Email Access: Encrypted and signed email becomes unavailable

What Still Works

The physical card information (photo, name, rank) remains visible, and barcode-based systems may still function. However, all certificate-based authentication is completely disabled.

What to Do When Locked Out

If your CAC becomes locked, take the following steps:

Immediate Actions

  1. Stop Trying: Do not continue attempting PIN entries. Additional attempts won’t help and may complicate resolution.
  2. Document the Time: Note when the lockout occurred for your records and potential security review.
  3. Notify Your Supervisor: Inform your supervisor or security manager, especially if you have time-sensitive work requiring CAC access.
  4. Use Alternate Access: If available, use a temporary visitor badge for building access while resolving the issue.

Don’t Panic

A CAC lockout is inconvenient but not a security incident. It happens to many people and there’s a straightforward resolution process.

DEERS Office Procedures for Unlock

The Real-time Automated Personnel Identification System (RAPIDS) offices handle CAC PIN resets. Here’s what to expect:

Finding Your RAPIDS Office

  • Use the RAPIDS Site Locator at the ID Card Office Online website
  • Many military installations have multiple RAPIDS locations
  • Some offices require appointments while others accept walk-ins
  • Verify hours of operation before visiting, as some locations have limited schedules

What to Bring

  • Your locked CAC (required)
  • A second form of government-issued photo ID (driver’s license, passport)
  • If possible, documentation showing you’re the card owner

The Reset Process

  1. Check in at the RAPIDS office and explain you need a PIN reset
  2. Present your locked CAC and secondary ID
  3. The operator will verify your identity in DEERS
  4. Your PIN retry counter will be reset, allowing new PIN attempts
  5. You’ll choose a new 6-8 digit PIN
  6. Test your new PIN before leaving the office

Processing Time

The actual PIN reset takes only a few minutes once you’re with an operator. However, wait times vary significantly by location and time of day. Expect 15 minutes to 2 hours total depending on office traffic.

Preventing Future Lockouts

Take these proactive steps to avoid future CAC lockouts:

PIN Management Best Practices

  • Choose a Memorable PIN: Select a PIN you can remember without writing it down, but avoid obvious patterns like birthdays or 123456
  • Practice Regularly: If you don’t use your CAC frequently, periodically verify you remember the PIN
  • One Attempt at a Time: If your first attempt fails, stop and carefully verify your PIN before the second attempt
  • Check Your Environment: Verify Caps Lock is off, and watch your keystrokes carefully

The Two-Strike Safety Rule

If you’ve entered your PIN incorrectly twice:

  1. Stop immediately
  2. Write down what you think your PIN is
  3. Try to verify through another method (if you have it stored securely)
  4. Consider visiting RAPIDS for a proactive reset rather than risking the third attempt

Multiple CAC Holders

If your household has multiple CAC holders (military couples, etc.):

  • Keep CACs in separate, clearly marked locations
  • Never try your PIN in someone else’s CAC
  • Consider using different-colored card holders for easy identification

Self-Service Unlock Options

While most lockouts require a RAPIDS visit, some organizations offer limited self-service options:

  • Kiosk Systems: Some installations have ID card kiosks that can perform PIN resets after biometric verification
  • Enterprise Solutions: Certain DoD agencies have implemented web-based PIN reset capabilities for their personnel
  • Mobile Verification: Emerging technologies may allow PIN resets through verified mobile devices

Check with your local IT security office to learn what self-service options may be available at your installation.

Emergency CAC Replacement Procedures

In some situations, a PIN reset isn’t sufficient or possible, requiring emergency CAC replacement:

When Replacement Is Needed

  • CAC chip is physically damaged
  • Card is lost or stolen (lockout is the least of concerns)
  • Certificate errors persist after PIN reset
  • Card is approaching expiration during the lockout period

Emergency Replacement Process

  1. Report the issue to your security manager
  2. Obtain command authorization for emergency reissue if required
  3. Visit RAPIDS with appropriate documentation
  4. Complete the full CAC issuance process (photo, fingerprints, certificates)

Temporary Credentials

While awaiting CAC replacement or during extended RAPIDS wait times, your security office may issue:

  • Temporary building access badges
  • Username/password credentials for critical systems
  • Letters authorizing alternative identification

Key Takeaways

Avoiding CAC lockout comes down to careful PIN management and knowing when to stop:

  • You have only three PIN attempts before lockout
  • After two failures, stop and verify before the third attempt
  • RAPIDS offices can reset your PIN – locate yours in advance
  • Choose a memorable but secure PIN and practice it regularly
  • Keep household CACs clearly separated to prevent confusion
John Bigley

John Bigley

Author & Expert

John Bigley is an electrical engineer and EV enthusiast who has been driving electric vehicles since 2015. He has installed over 200 home charging stations across the Pacific Northwest and consults on commercial EV infrastructure projects.

66 Articles
View All Posts

You Might Also Like

Subscribe for Updates

Get the latest articles delivered to your inbox.