The information in this post is taken from the summary of this year’s Biometrics Institute Industry Survey and is presented under the following authority:
“You are welcome to use the information from this survey with a reference to its source, Biometrics Institute Industry Survey 2025. The full report, slides and graphics are available to Biometrics Institute members.”
But even the freebie stuff is valuable, including this citation of two concerns expressed by survey respondents:
“Against a backdrop of ongoing concerns around deepfakes, 85% agreed or agreed strongly that deepfake technology poses a significant threat to the future of biometric recognition, which was similar to 2024. “And two thirds of respondents (67%) agreed or agreed strongly that supervised biometric capture is crucial to safeguard against spoofing and injection attacks.”
IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.
Now remote supervised enrollment and even in-person supervised enrollment is not a 100.00000% guard against deepfakes. The subject could be wearing a REALLY REALLY good mask. But it’s better than unsupervised enrollment.
Back in 2002, when I was an automated fingerprint identification system (AFIS) product manager at Motorola, another fingerprint company, Identix, made an announcement.
“Identix Inc. and Visionics Corp. announce a strategic merger of equals in an all-stock transaction valued at approximately $600 million.”
The word “synergy” was tossed about, justifiably. You see, while Identix had a long history with fingerprints, Visionics had a long history with facial recognition. So the new combined company would offer both fingerprint and face biometrics, something new for the time. So new that Visionics’ chairman and CEO, Dr. Joseph Atick, made the following statement:
“I believe this merger of equals is one of the most significant events in the history of the biometrics industry to date.”
One little footnote: the acquisition brought fingerprint provider Identix and its chief competitor Digital Biometrics into the same company, since Visionics had acquired Digital Biometrics in 2001.
Viisage plus TDT
Let’s, um, face it: the combined company (known as Identix) was positioned well against Visionics’ chief competitor, a company called Viisage.
“In February, it bought Trans Digital Technologies (TDT), which supplies the digital printing system for U.S. passports, for $50 million in cash and stock. Last year, the Arlington, Va.-based TDT landed a five-year, $65 million contract extension with the U.S. State Department for the passport system.”
Which prompted Bernard Bailey, Viisage’s president and CEO, to declare that the acquisition of TDT was:
“…the single most important transformational event in Viisages history.”
So who was the true visionary: Atick, or Bailey? Or maybe someone else we haven’t mentioned yet?
Identix and Viisage…and all the other companies
While Identix and Visionics had some pretty significant components, neither could claim to be a true identity leader. Both companies not only had to compete against the traditional AFIS providers including Sagem Morpho and Motorola, but also against other identity providers. Take Digimarc, which beefed itself up considerably by acquiring Polaroid’s driver’s license business in 2001.
So by 2004, my Motorola “Biometric Business Unit” was competing against a bunch of companies, including:
One of our traditional AFIS competitors, Sagem Morpho.
Identix, including Visionics and Digital Biometrics.
Sagem Morpho and Motorola’s Biometric Business Unit would be a Safran subsidiary called MorphoTrak (with some international pieces tossed over into a division that would subsequently be renamed Morpho).
The others (L-1 plus Digimarc’s driver’s license business, acquired in 2008) would be a Safran subsidiary called MorphoTrust.
“The new Sophos logo nods to our history, but it’s reimagined with a shield that represents our defense against cyberattacks. Inside that shield lives the dual strength of Sophos: AI-native technology and world-class human expertise. Together, they create unmatched defense that adapts as fast as threats evolve.”
Oh, and the consultation:
“Our partners are core to our success, and their feedback on the rebrand has been energizing…”
My bet is that Sophos will not have to withdraw this logo, like another logo change that was recently reversed.
We’re all familiar with the morphing of faces from subject 1 to subject 2, in which there is an intermediate subject 1.5 that combines the features of both of them. But did you know that this simple trick can form the basis for fraudulent activity?
Back in the 20th century, morphing was primarily used for entertainment purposes. Nothing that would make you cry, even though there were shades of gray in the black or white representations of the morphed people.
Godley and Creme, “Cry.”
Michael Jackson, “Black or White.” (The full version with the grabbing.) The morphing begins about 5 1/2 minutes into the video.
But Godley, Creme, and Jackson weren’t trying to commit fraud. As I’ve previously noted, a morphed picture can be used for fraudulent activity. Let me illustrate this with a visual example. Take a look at the guy below.
From NISTIR 8584.
Does this guy look familiar to you? Some of you may think he kinda sorta looks like one person, while others may think he kinda sorta looks like a different person.
The truth is, the person above does not exist. This is actually a face morph of two different people.
From NISTIR 8584.
Now imagine a scenario in which a security camera is patrolling the entrance to the Bush ranch in Crawford, Texas. But instead of having Bush’s facial image in the database, someone has tampered with the database and inserted the “Obushama” image instead…and that image is similar enough to Barack Obama to allow Obama to fraudulently enter Bush’s ranch.
Or alternative, the “Obushama” image is used to create a new synthetic identity, unconnected to either of the two.
But what if you could detect that a particular facial image is not a true image of a person, but some type of morph attempt? NIST has a report on this:
“To address this issue, the National Institute of Standards and Technology (NIST) has released guidelines that can help organizations deploy and use modern detection methods designed to catch morph attacks before they succeed.”
The report, “NIST Interagency Report NISTIR 8584, Face Analysis Technology Evaluation (FATE) MORPH Part 4B: Considerations for Implementing Morph Detection in Operations,” is available in PDF form at https://doi.org/10.6028/NIST.IR.8584.
And a personal aside to anyone who worked for Safran in the early 2010s: we’re talking about MORPH detection, not MORPHO detection. I kept on mistyping the name as I wrote this.
Have you ever used the phrase “sort of unique”? Something is either unique or it isn’t. And International Mobile Equipment Identity (IMEI) numbers fail the uniquness test.
Claims that International Mobile Equipment Identity (IMEI) numbers are unique
Here’s what a few companies say about the IMEI number on each mobile phone. Emphasis mine.
Thales: “The IMEI (International Mobile Equipment Identity) number is a unique 15-digit serial number for identifying a device; every mobile phone in the world has one.”
Verizon: “An IMEI stands for International Mobile Equipment Identity. Think of it as your phone’s fingerprint — it’s a 15-digit number unique to each device.”
Blue Goat Cyber: “In today’s interconnected world, where our smartphones have become an indispensable part of our lives, it is essential to understand the concept of IMEI – the International Mobile Equipment Identity. This unique identifier plays a crucial role in various aspects of our mobile devices, from security to tracking and repairs.”
These and other descriptions of the IMEI prominently use the word “unique.” Not “sort of unique,” but “unique.”
Which means (for non-person entities, just like persons) that if someone can find a SINGLE reliable instance of more than one mobile phone having the same IMEI number, then the claim of uniqueness falls apart completely.
Examples of non-uniqueness of IMEI numbers on mobile phones
“In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
“The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning.”
So don’t claim an IMEI is unique when there is evidence to the contrary. As I said in my April post:
“NOTHING provides 100.00000% security. Not even an IMEI number.”
What does this mean for your identity product?
If you offer an identity product, educate your prospects and avoid unsupportable claims. While a few prospects may be swayed by “100%” claims, the smarter ones will appreciate more supportable statements, such as “Our facial recognition algorithm demonstrated a 0.0022 false non-match rate in the mugshot:mugshot NIST FRTE 1:1 laboratory testing.”
When you are truthful in educating your prospects, they will (apologizes in advance for using this overused word) trust you and become more inclined to buy from you.
If you need help in creating content (blog posts, case studies, white papers, proposals, and many more), work with Bredemarket to create the customer-focused content you need. Book a free meeting with me.
On the long-standing debate on the mix between automation and manual operations, here’s what the Cyber Security Hub says:
100+ AI security startups claim they can replace Tier 1 and Tier 2 SOC analysts with 24/7 LLMs. They promise AI can triage, detect, and respond—no humans needed.
But here’s the reality:
AI tools hallucinate and miss context
Custom attacks slip by without human insight
Escalations stall when no one’s validating alerts…
…This isn’t about rejecting AI. It’s about using it wisely—and never cutting people out of the loop.
“We convince ourselves to hold on just a little longer, to give one more chance, to extend one more ounce of patience. We hope things will change, that people will appreciate us, that circumstances will finally shift in our favor. But sometimes, despite our best efforts, the change never comes.
“That’s when the lesson arrives—not in a single, dramatic flash, but in a quiet realization: I deserve better than this. I deserve to feel seen, valued, respected.”
Bredemarket 