Bredemarket

Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough

(Picture designed by Freepik.)

(Part of the biometric product marketing expert series)

I’ve talked about Identity Assurance Levels 1, 2, and 3 on several occasions. Most notably regarding Login.gov’s initial failure to adhere to Identity Assurance Level 2 (IAL2). (Old news; after the pilot, Login.gov is now certified for IAL2.)

But as usually happens, IAL2 is yesterday’s news. Because biometric tech always gets harder better faster stronger.

Refresher on IAL1, IAL2…and IAL 3

Let’s review the three identity assurance levels.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.

When do you need IAL3? Mitek’s Adam Bacia clarifies:

“IAL3 is reserved for high-risk environments such as sensitive government services.”

How are solutions approved for a particular Identity Assurance Level?

Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)

But I doubt you would, um, trust my declaration.

Enter the Kantara Initiative, which manages an Identity Assurance Approval Process. For our purposes, we want to focus on the NIST 800-63 rev.3 class of approval:

“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

“Assurance Levels: IAL2, IAL3; AAL2, AAL3; FAL2, FAL3”

You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
And you can also see that it offers approvals for FAL2 and FAL3. I’ve never discussed Federation Assurance Levels (FALs) before.

Component Services IAL2 approvals…and an IAL3 approval

Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.

With one exception.

“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”

So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.

Trust Swiftly has also designed a remote IAL3 solution, but I couldn’t find Trust Swiftly on the Kantara Initiative’s Trust Status List. Perhaps it was processed under another accredited assessor.

But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?

Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

A Jewelry-related Third-Party Breach: What Could Go Wrong?

Check this article from cyberdaily.au regarding a reported third-party breach. This one is from Danish jewelry brand Pandora.

“The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.”

So who was the third party? BleepingComputer has that part of the story:

“While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company’s Salesforce database.”

Not that it’s necessarily Salesforce’s fault. Access could have been granted by a Pandora employee as part of a social engineering attack.

All Salesforce users should read “Protect Your Salesforce Environment from Social Engineering Threats.”

It’s not just a technical issue, but also a business process issue.

Or a user education issue.

Bredemarket can help firms educate their users. Talk to me.

Stop losing prospects! Use Bredemarket content for tech marketers

Landscape (Biometric Product Marketing Expert)

Bredemarket is the biometric product marketing expert. Learn more: https://bredemarket.com/mark/

Landscape.

Taking a Blogging Nap

(Imagen 4)

For the last several months Bredemarket has been blogging daily.

Until now.

Today I’m taking a Sunday blogging nap. (Not to be confused with an Instagram nap.)

Whoops…guess I didn’t.

Well, as long as I’m here, I will share a video for your Sunday viewing pleasure.

Biometric product marketing expert.

Do It

(From YouTube; https://youtu .be/hAEQvlaZgKY?si=5gmNIdjjYtzaStyy )

I’ve scheduled a post for Monday regarding Identity Assurance Level 3 (IAL3). I note that IAL2 is not enough for some government agencies, who have requirements that are…um…harder better faster stronger.

Monday’s post will include the “hands” video version of the Daft Punk song.

Today I’m sharing the “Shia” video version.

(Sadly, not enbeddable.)

For the “bias to action” folks.

Pharmacy Product Marketing to the Proper Hungry People

Health marketing leaders know that pharmacy product marketing can be complex because of the many stakeholders involved. Depending upon the product or service, your hungry people (target audience) may consist of multiple parties.

Pharmaceutical companies.
Pharmacists.
Medical professionals.
Insurance companies.
Partners who assist the companies above.
Consumers.

And the pharmacy product marketer has to create positioning and messaging for all these parties, for a myriad of use cases: fulfillment, approval, another approval, yet another approval. All the messaging can become a complex matrix. (I know. I’ve maintained a similar messaging matrix for an ABM marketing campaign for the financial services industry.)

To achieve your goals, health marketing leaders require a mix of strategy and tactics. And that’s where my extensive experience can help with your pharmacy product marketing program.

Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

Instagram Maps is a Stupid and Dangerous Feature

I stand by what I said. Someone’s gonna get killed.

View this post on Instagram

A post shared by John Bredehoft (Bredemarket) (@bredemarket)

Instagram Maps.

Open and Shut Case Study Solutions…and Results

I seem to be on a kick on writing about case studies.

If you want your happy customers to say nice things about you, but don’t know where to begin to assemble your own case studies, maybe Bredemarket can help. Talk to me.

Six recent Bredemarket posts on case studies

In the meantime, read on to see where I’ve gotten my kicks lately.

1: Make your prospects stop and eat

Cool service. Have your happy customers tell prospects about it.

“Let Bredemarket help you take the blindfolds off. We can work together to fill your content black hole with blogs, articles, case studies, white papers, and other written words that make your prospects stop and eat.”

The Difference Between Busy and Too Busy

The Difference Between Busy and Too Busy – Bredemarket

2: Collaboration, collaboration, collaboration

“We had to collaborate between myself, a few people from the firm, and representatives of the firm’s customers who could provide the facts.”

Working With Your Customers on Case Studies

Working With Your Customers on Case Studies – Bredemarket

3: This solution provides results

“Tasks that used to take minutes or hours now only take seconds.”

AI-Analyzing Computed Tomography (CT) Scans

AI-Analyzing Computed Tomography (CT) Scans – Bredemarket

4: You don’t need the STAR method

“Rather than arrange our case studies into four parts, my client and I agreed on a three-part outline that effectively combined “S” and “T.” Our outline? Problem, Solution, and Result. The STAR people were horrified, but we didn’t care. The client was a maverick anyway.”

You Have the Interview Transcript for a Case Study. Now What?

You Have the Interview Transcript for a Case Study. Now What? – Bredemarket

5: Solutions that are specific

“Bredemarket is targeting tech CMOs with the specific problem of needing help, or a push, to create the marketing content their firms require. Before your competitors steal your prospects from you. You know what you need: perhaps awareness (who you are), perhaps consideration (why your competitors suck). And you will get it through through case studies, or blog posts, or white papers, or LinkedIn articles, or proposals, or something else.”

Making Case Studies (and Other Content) Specific So Prospects Act

Making Case Studies (and Other Content) Specific So Prospects Act – Bredemarket

6: Three tips for creating case studies, and three tips for getting them approved

“So how do you expedite case study creation and approval?”

Easing the Pain of Case Study Creation and Approval

Easing the Pain of Case Study Creation and Approval – Bredemarket

Do you want the results that case studies deliver?

Talk to Bredemarket about the case study creation solution I provide to solve your awareness or consideration problem. Click below.

Stop losing prospects! Use Bredemarket content for tech marketers

Content For Tech Marketers (July 3, 2025)Download

Buying in Bulk in 1666

Pardon me while I leave my usual B2B and B2G comfort zone and enter the B2C world.

We think of buying in bulk—hauling the van (I almost said “station wagon”) to Costco or Sam’s Club—as a modern invention.

But it’s only new to those of us who are NOT incredibly wealthy.

As Ellen Hawley reminds us, rich people such as Samuel Pepys had goods problems during the Great Fire of London in 1666. The fire was leaving the City and approaching their homes—what to do? According to Pepys’ words, this is part of what he did:

“Sir W. Batten not knowing how to remove his wine, did dig a pit in the garden, and laid it in there; and I took the opportunity of laying all the papers of my office that I could not otherwise dispose of. And in the evening Sir W. Pen and I did dig another, and put our wine in it; and I my Parmazan cheese, as well as my wine and some other things.”

The “Parmazan” cheese is never mentioned again. As Hawley observes:

“Pepys’ house did not burn and in a later entry he writes about unearthing his wine but doesn’t mention the cheese. Since he didn’t complain about losing it, we can probably assume the fire didn’t turn it into a giant grilled cheese sandwich, minus the bread.”

Although a Parmesan cheese sandwich sounds foreign to me.

So why am I writing about 17th century fires and foods in the Bredemarket blog?

Because I feel like it.
Because it gave me an excuse to use the words of Samuel Pepys as a Google Gemini picture prompt.

Because the story reminds us that we have to face problems with the technology we have available.

Are you a technology marketing leader with a product that yields substantive benefits to your prospects? Bredemarket can help you market that product.

Stop losing prospects! Use Bredemarket content for tech marketers

Using Personal Devices at Work: Meta AI Smart Glasses at a CBP Raid?

Although the lines inevitably blur, there is often a line between devices used at home and devices used at work.

For example, if you work in an old-fashioned work office, you shouldn’t use the company photocopier to run personal copies of invitations to your wedding.
Similarly, if you have a personal generative AI account, you may cause problems if you use that personal account for work-related research…especially if you feed confidential information to the account. (Don’t do this.)

The line between personal use and work use of devices may have been crossed by a Customs and Border Protection agent on June 30 in Los Angeles, according to 404 Media.

“A Customs and Border Protection (CBP) agent wore Meta’s AI smart glasses to a June 30 immigration raid outside a Home Depot in Cypress Park, Los Angeles, according to photos and videos of the agent verified by 404 Media.”

If you visit the 404 Media story, you can see zoomed in pictures of the agent’s glasses showing the telltale signs that these aren’t your average spectacles.

Now 404 Media doesn’t take this single photo as evidence to indicate that CBP has formally adopted Meta AI glasses for its work. In fact, a likely explanation is that these were the agent’s personal glasses, and he chose to wear them to work that day.

And 404 Media also points out that current Meta AI glasses do NOT have built-in facial recognition capabilities.

But even with these, the mere act of wearing these glasses causes potential problems for the agent, for Customs and Border Protection, and for Meta.

For the agent, he may have been in violation of Meta’s applicable Terms of Service, which state (Clause 2.1): “You may only use MPT Products for personal non-commercial purposes unless otherwise expressly permitted in these Supplemental Terms or authorized by us in writing.” Using the glasses during an immigration raid is NOT a personal purpose.
For Customs and Border Protection, this may be a political hot potato. Even within the group of supporters of Donald Trump, there is a clear division regarding the use of facial recognition technologies (not the case here, but it could be). Some are all for using any technology whatsoever without restraint. Others see these technologies as dangerous, never to be used. Congress is currently considering H.R. 3782, “To prohibit the Federal Government from using facial recognition technology as a means of identity verification, and for other purposes.” Some Members of Congress may have some questions for this CBP agent.
For Meta, this could cause problems with its customers. Most of the “Really Big Bunch” has shied away from providing biometric technology to law enforcement and homeland security, primarily because many of its consumer customers would have a fit. But what if Meta is cooperating with the Government and doesn’t even know that it is?

Take Grandma, who uses Meta to find those cute Facebook stories about that hunk Ozzy Osbourne (who appeals to an older demographic). If she finds out that her friend Marky Mark Zuckerberg is letting the Government use Meta technology on those poor hardworking workers who just want a better life, well, Grandma may stop buying those trinkets from Facebook Marketplace.

(Unauthorized) Homeland Security Fashion Show. AI-generated by Imagen 4. And no, I don’t know what a “palienza” is.

So the lesson learned? Don’t use personal devices at work. Especially if they’re controversial.