The Pandora’s Box of the “passwords are dead” movement

I’ve previously commented on the “passwords are dead” movement, and why I don’t agree that passwords are dead. But I recently realized that the “logic” behind the “passwords are dead” movement could endanger ALL forms of multi-factor authentication.

If I may summarize the argument, the “passwords are dead” movement is based upon the realization that passwords are an imperfect authentication method. People use obvious passwords, people re-use passwords, individuals don’t guard their passwords, and even companies don’t guard the passwords that they store. Because of these flaws, many passwords have been compromised over the years.

From this indisputable fact, the “passwords are dead” advocates have concluded that the best thing to do is to refrain from using passwords entirely, and to use some other authentication method instead (choosing from the five authentication factors).

In my spiral of people connections, the most frequently suggested replacement for passwords is biometrics. As a biometric content marketing expert and a biometric proposal writing expert, I’m certainly familiar with the arguments about the wonderfulness of biometric authentication.

But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.

So I guess “biometrics are dead” too, using the “passwords are dead” rationale.

And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.

So I guess “secure documents are dead” too.

Somewhere you are? Yeah, right. There are entire legitimate industries based upon allowing someone to represent that they are in one place when in fact they are in another place.

So I guess “geolocation is dead” too.

You see where this leads.

NO authentication method is perfect.

But just because an authentication method has imperfections doesn’t mean that it should be banned entirely. If you open the Pandora’s Box of declaring imperfect authentication methods “dead,” there will be NO authentication methods left.

Epimetheus opening Pandora’s Box. By Giulio Bonasone – This file was donated to Wikimedia Commons as part of a project by the Metropolitan Museum of Art. See the Image and Data Resources Open Access Policy, CC0, https://commons.wikimedia.org/w/index.php?curid=60859836

And before talking about multi-factor authentication, remember that it isn’t perfect either. With enough effort, a criminal could spoof multiple factors to make it look like someone with a spoofed face and a spoofed driver’s license is physically present at a spoofed location. Of course it takes more effort to spoof multiple factors of authentication…

…which is exactly the point. As security professionals already know, something that is harder to hack is less likely to be hacked.

“I don’t want to say multi-factor is terrible. All things considered, it is generally better than single-factor and we should strive to use it wherever it makes sense and is possible. However, if someone tells you something is unhackable, they’re either lying to you or dumb.”

And heck, be wild and throw a strong password in as ONE of the factors. Even weak passwords of sufficient length can take a long time to crack, provided they haven’t been compromised elsewhere.

Feel free to share the images and interactive found on this page freely. When doing so, please attribute the authors by providing a link back to this page and Better Buys, so your readers can learn more about this project and the related research.

Luckily, my experience extends beyond biometrics to other authentication methods, most notably secure documents and digital identity. And I’m familiar with multi-factor authentication methods that employ…well, multiple factors of authentication in various ways. Including semi-random presentation of authentication factors; if you don’t know which authentication factors will be requested, it’s that much harder to hack the authentication process.

Do you want to know more? Do you need help in communicating the benefits of YOUR authentication mechanism? Contact me.

Something I wrote elsewhere about the biometric systems development lifecycle

One of my non-Bredemarket blogs is JEBredCal, and I recently wrote something on that blog entitled “The biometric systems development lifecycle.”

By Horst59 – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=64233808

The post describes several steps in the lifecycle, including:

  • Strategic/market assessment.
  • Product release definition and development.
  • Capture and proposal strategy.
  • Contract negotiation.
  • Business system requirements analysis.
  • Implementation.
  • Operation.
  • End of life.

At each stage, there are decisions that you need to make regarding whether you will pursue something, or instead choose NOT to pursue it.

  • Does it make sense to pursue this market? As Peter Kirkwood notes, sometimes you SHOULDN’T pursue a market.
  • Does it make sense to release this product? Again, maybe not.
  • Does it make sense to bid on this Request for Proposal? Again, maybe not. Especially if the opportunity cost of bidding on a low-PWin opportunity instead of another opportunity is high.

No, a “no” decision doesn’t mean that you stick a fork in it. The post implicitly refers to ANOTHER definition of a fork.

Case study example (that I didn’t write)

In my prior post about case studies, I observed:

Case studies are effective because they speak to the needs of the readers. The reader has a problem, and the case study tells how a similar entity solved that same problem.

After I wrote that, I happened to read this case study from Honeywell.

Making Better Business Decisions in Harris County, Texas. https://buildings.honeywell.com/us/en/solutions/case-studies/harris-county

I’ve worked with Honeywell’s customer, Harris County, Texas, but not on its security systems per se.

The case study follows a standard problem-solution format. After explaining the size and complexity of Harris County (the county where Houston is located), the problem is presented:

The problem? A lack of consistency in security products and transparency in systems used throughout the various buildings, which resulted in decreased operating efficiencies and more work for employees.

You’ll also note the use of “detriment statements,” or the reverse of benefit statements. Lack of consistency itself is NOT a detriment. More work for employees IS a detriment.

So the county called in a Texas-based integrator, ESI Fire & Security Protection, to help it solve the problem.

I don’t want to give away the ending, but if you want to find out what ESI recommended, read the rest of this case study on the Honeywell website.

And here is more information on case studies.

The DHS RFI “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses” is NOT due on June 18 (it’s now due July 30)

Back in April I wrote about a Request for Information that was issued by the Department of Homeland Security. Its title: “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.”

The information was due to DHS on June 18 (tomorrow), and my post included a “shameless plug” offering to help companies with their responses.

No company requested my assistance.

But all is not lost, because you can STILL request Bredemarket’s assistance in composing your responses, because, according to Jason Lim, the due date has been extended.

DHS will hold a virtual public meeting on June 30, 2021 on mDL REAL ID RFI to answer questions regarding the RFI and to provide an additional forum for comments by stakeholders and other interested persons regarding the issues identified in the RFI.

DHS is also extending the comment period for the RFI by 42 calendar days to provide an additional period for comments to be submitted after the public meeting. New deadline is July 30, 2021.

If you want to register for the public meeting, click on the link at the bottom of Jason Lim’s LinkedIn post. I’ve already registered myself (the meeting starts at 7:00 am PDT, but at least I don’t have to commute to go to the meeting).

And the shameless plug still applies: if you need assistance in managing, organizing, writing, or checking your response, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail). As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

Yes, Walmart IS a technology company

I recently wrote something that mentioned various technology companies, and I initially included Walmart in the list.

Initially.

The post cataloged the companies that former coworkers were now working, and I wrote it knowing that one of my former coworkers was a Walmart. Well, you don’t know what you think you know. It turns out that this former coworker is no longer at Walmart (as I write this, she is at Comcast), but I had THIS entire post written up about Walmart as a technology company. So I’m going to go ahead and post it anyway.

Technology for better living

While many of us don’t think of Walmart as a tech company, in truth it is a tech company, and technology innovations play a key part in Walmart’s corporate dominance in its markets over many other players.

Sometimes Walmart dominates so much that other stores go out of business. This is a 2011 photo of a Sears big box store with subway station in Rego Park, QueensNew York CityNew York. This location closed in 2017. By Jim.henderson – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=17912322

I was first exposed to Walmart’s technology orientation many years ago, even before Walmarts began opening in earnest in Southern California. At the time I was working for a consumer goods company, and Walmart was one of my company’s customers. Obviously Walmart was a big customer, and big customers have the power to tell their suppliers what to do.

Today’s acronym is EDI

And Walmart wanted the consumer goods company to do EDI.

EDI stands for “Electronic Data Interchange,” and it offers a computerized method for two business entities to communicate business data between each other. Thus, Walmart was asking my employer to transmit data relating to our shipments of product to various Walmart stores, and Walmart incorporated this data into its internal inventory systems.

EDI has progressed a long way since I worked for that consumer goods company (the graphic above does NOT illustrate the flow that my former employer was using), but the basics remain the same.

Electronic data interchange (EDI) is a standard format for exchanging business documents. These documents are exchanged between suppliers and retailers. EDI is made up of two components: translation and communication. During the translation process, the business data is changed into a standardized EDI format.

Once the business document is translated into a standardized EDI format it is communicated (electronically sent) to the intended recipient. Just like with translation, there are various methods of EDI communications available. The method that is used by Walmart and their suppliers is AS2.

Not AS3, not AS1. AS2. Walmart is Walmart.

But not just EDI

And as you may guess, Walmart uses a number of other technologies to keep its mammoth business running. Such as blockchain.

How do you know your food is safe to eat?

This isn’t a question many of us often ask ourselves. But lately, food safety has been in the public eye: 2018 has already seen a large outbreak of E. coli in romaine lettuce and Salmonella in a number of products from eggs to breakfast cereal….

Today, Walmart and Sam’s Club sent a letter to suppliers of fresh, leafy greens asking them to trace their products all the way back to the farm using blockchain technology. Suppliers are expected to have all these systems in place by this time next year.

Again, Walmart is Walmart, and it wanted the suppliers to comply. And the suppliers had some work to do to come into compliance.

The basic requirement for those in far-flung rural areas includes a mobile device with geolocation features, so that other information such as date of harvest and size of the crop can be associated with specific coordinates. In cases where a farm might not be covered by wireless access, the information can be uploaded when there is coverage.

And yes, agriculture has moved far away from the family farm and is now accurately described by the term “agribusiness,” but I’m sure these agribusinesses weren’t thrilled about requiring the capture of geolocation, date, and harvest size data as a mandatory step in harvesting. And if there are any family farms left, they REALLY weren’t thrilled. (Not that small family farms are doing business with Walmart, but these requirements are going to flow down to smaller food sellers also.)

So yes, these data capture and blockchain requirements are onerous from the suppliers’ perspective. But think of Walmart’s perspective for the moment. If Walmart can convince its customers that its foods won’t make them sick, and if Walmart’s competitors can’t do this, then Walmart has a clear competitive advantage.

The retailer was motivated to focus its first “substantive, not symbolic” declaration as a result of several highly publicized E. coli outbreaks in the United States… — including five deaths — that were related to tainted romaine lettuce, according to Frank Yiannis, vice president of food safety and health for Walmart.

And not just Walmart

And these and other modern technologies are necessary for Walmart or any multi-billion dollar firm, or even much smaller firms. As I said, eventually consumers will demand blockchain or similar food tracing from all grocery stores.

Dollar General store in Arlington, Georgia. By Michael Rivera – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=61224685

Yes, even Dollar General is embracing technology, but as far as I can tell it is concentrating on consumer-facing technology and hasn’t adopted blockchain yet. But I could be wrong.

These days, long after my former consumer goods employer went out of business, you’re not going to run your business on a Lotus 1-2-3 spreadsheet, even if Lotus IS integrated.

Additional countries issue the EU Digital COVID Certificate (a/k/a the Digital Green Certificate)

First, a correction.

When I first began writing about the Digital Green Certificate, I referred to it as…the Digital Green Certificate, noting the confusion that the name could cause with climate activists and the like.

Well, it turns out that climate activists have no cause for confusion, because the name of the certificate is NOT the “Digital Green Certificate.”

It’s the “EU Digital COVID Certificate,” as noted here.

With that out of the way, let’s revisit developments since the first seven countries began issuing the EUDCC on June 1.

By Tuesday, June 15, the list of issuing countries will expand to 14:

Italy is one of the first EU countries to begin issuing the EU Digital COVID Certificate, alongside Austria, BulgariaCroatiaCzechiaDenmark, Estonia, GermanyGreece, Latvia, Lithuania, Luxembourg, Poland, and Spain.

The remainder of the countries should be issuing the EUDCC by July 1.

(Bredemarket Premium) I can’t TELL you the law enforcement AFIS vendors in each state, but…

Well, it’s time for another post in the Bredemarket Premium series, in which posts are only viewable by paying subscribers.

I thought about this topic when I was asked by someone NOT in the automated fingerprint identification system (AFIS) industry to explain the industry. And I told him some things that would benefit people who ARE in the AFIS industry. Some people already know these things, while some people don’t. One example: which AFIS vendors service which customers?

For purposes of this post I will concentrate on state-level law enforcement AFIS in the United States, although AFIS are available at many government (and enterprise) levels for many markets in many countries.

As I detail in the post, I actually know all of this information myself, but I can’t share it. So this post is intended to tell you how to obtain this information yourself, from publicly available sources. And I’ll even give you a few pointers to get you started.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Requests for Comments (RFCs), formal and casual

I don’t know how it happened, but people in the proposals world have to use a lot of acronyms that begin with the letters “RF.” But one “RF” acronym isn’t strictly a proposal acronym, and that’s the acronym “RFC,” or “Request for Comments.”

In one sense, RFC has a very limited meaning. It is often used specifically to refer to documents provided by the Internet Engineering Task Force.

A Request for Comments (RFC) is a numbered document, which includes appraisals, descriptions and definitions of online protocols, concepts, methods and programmes. RFCs are administered by the IETF (Internet Engineering Task Force). A large part of the standards used online are published in RFCs. 

But the IETF doesn’t hold an exclusive trademark on the RFC acronym. As I noted in a post on my personal blog, the National Institute of Standards and Technology recently requested comments on a draft document, NISTIR 8334 (Draft), Mobile Device Biometrics for Authenticating First Responders | CSRC.

While a Request for Comments differs in some respects from a Request for Proposal or a Request for Information, all of the “RFs” require the respondents to follow some set of rules. Comments, proposals, and information need to be provided in the format specified by the appropriate “RF” document. In the case of NIST’s RFC, all comments needed to include some specific information:

  • The commenter’s name.
  • The commenter’s email address.
  • The line number(s) to which the comment applied.
  • The page number(s) to which the comment applied.
  • The comment.

Comments could be supplied in one of two ways (via email and via web form submission). I chose the former.

Cover letter of the PDF that I submitted to NIST via email.

On the other hand, NIST’s RFC didn’t impose some of the requirements found in other “RF” documents.

  • Unlike a recent RFI to which I responded, I could submit as many pages as I liked, and use any font size that I wished. (Both are important for those respondents who choose to meet a 20-page limit by submitting 8-point text.)
  • Unlike a recent RFP to which I responded, I was not required to state all prices in US dollars, exclusive of taxes. (In fact, I didn’t state any prices at all.)
  • I did not have to provide any hard copies of my response. (Believe it or not, some government agencies STILL require printed responses to RFPs. Thankfully, they’re not requiring 12 copies of said responses these days like they used to.)
  • I did not have to state whether or not I was a small business, provide three years of audited financials, or state whether any of the principal officers of my company had been convicted of financial crimes. (I am a small business; my company doesn’t have three years of financials, audited or not; and I am not a crook.)

So RFC responses aren’t quite as involved as RFP/RFI responses.

But they do have a due date and time.

By Arista Records – 45cat.com, Fair use, https://en.wikipedia.org/w/index.php?curid=44395072

Marketing messages at multiple levels

Today is podcast day on my content calendar, and I decided upon a title for my next podcast before I even started recording it.

The title? “All clear for an IPO.”

When I selected that title, I knew that 100% of the listeners would discern that the podcast had to do with some company’s initial public offering.

And I knew that 5% of the listeners would understand the significance of the word “clear” in the title.

And I additionally knew that 1% of the listeners would understand the significant of the word “all” in the title.

If you listen to the podcast episode, you’ll understand the significance of these two words, if you didn’t already know their significance.

This is an example of a marketing message that works at multiple levels. Some people will take the title at face value, while others will discern deeper information.

Personally, a lot of my writing is like this, with dense links to illustrative material and occasional phrases that have multiple meanings.

But what happens when a marketing message has multiple meanings and the marketer doesn’t know it?

I am a lover of comedy, and one of my favorite comedy groups from the 1980s is the Pet Shop Boys. Now you might think of the Pet Shop Boys as a music group, but you’re wrong. The duo is actually an accomplished comedy group, with their comedy present in their musical, visual, and lyrical output.

Musically, seek out the Pet Shop Boys’ recording of “Always on My Mind” and compare it to, for example, Willie’s version. Tongue is firmly in cheek here.

Visually, I can sum things up in two words: Chris Lowe. While Neil sings away in videos or in concert, Chris has perfected the fine art of standing there.

“We had a video director once who said I stood still very well,” Chris informs me proudly. “It’s not easy, you know. A lot of people can’t do it. It’s an art form.”

And how about those lyrics? On the surface, songs like “Opportunities” sound like the lyrics came from a Thatcherite manifesto, but anyone who was aware of the currents in United Kingdom politics in the 1980s would obviously know that the Pet Shop Boys didn’t really mean that. Right?

Well

I wonder how many Allstate insurance customers are singing along with a song dripping with sarcasm.

However, I suspect that Neil and Chris enjoyed making a quick pound off of an American insurance company. After all, they got lots of money in return.

…the duo’s U.S. Top 10 “Opportunities (Let’s Make Lots of Money)” has entered (Billboard) magazine’s Dance/Electronic Digital Song Sales chart at No. 5, after appearing in an ad for Allstate Insurance that aired during Super Bowl LV…