Category Archives: Uncategorized

Identity Document Validation is a Toxic Dumpster Fire

I may have misjudged Biometric Update.

Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.

I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.

As does Biometric Update.

Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:

“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”

But then Biometric Update ran a more recent story.

They said that?

Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.

And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.

OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.

Google Gemini.

But the true title is eye-catching in context:

DHS RIVR results suggest most ID document validation disastrously ineffective

Not just ineffective, DISASTROUSLY ineffective. Ouch.

For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).

DHS set performance goals for the submitted entries and publicized the (anonymous) results.

“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”

Google Gemini.

Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.

On anonymity

Why do testing entities sometimes allow participants to remain anonymous?

Because they want participants.

Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.

Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.

Hopefully the results won’t be disastrous.

How Can Identity/Biometric Product Marketers Cut Through the Slop?

Slop is everywhere, and even I generate slop. (For experimental purposes only, of course.) But slop makes it hard for product marketers to share their messages with prospects.

Bredemarket has adopted two tactics to cut through the slop and ensure my clients’ messages reach those who need to hear it.

Tactic 1: Before I write, I ask

To bound the message I am about to create for an identity/biometric client (or any client), I ask a number of questions. These questions ensure that the question addresses the right people, their concerns, and their fears. I’ve shared seven of my questions elsewhere.

Seven Questions Your Content Creator Should Ask You.

When all the questions are answered, I have a clear roadmap to start writing.

Tactic 2: I act, not the bot

In writing, generative artificial intelligence’s proper place is as an outside advisor, not an author. I’ve shared my thoughts on this on LinkedIn.

I don’t feed the answers to Bredebot and have it churn out something. I pick the words myself.

Rewrite this. Don’t write it.

Now perhaps I might use generative AI to tweak a phrase or two, but I remain in complete control of the entire creative process.

The result?

I believe, and my clients also believe, that this careful approach to content results in pieces that are differentiated from the mass-churned content of others.

So my clients stand out and aren’t confused with their competitors.

After all, even though Bredebot fakes thirty years of experience in identity and biometrics, it doesn’t really have such experience. I do. That’s why I’m the biometric product marketing expert.

So if you want me, not a bot, to polish your biometric product marketing sentences “until they shine,” let’s talk about how we can move forward.

Bredemarket can write your biometric company’s product marketing content.

Retinal Identification

First, the iris and the retina are not synonymous.

NIH National Eye Institute, Public Domain. Link.

Second, while the iris can be used for biometric identification, so can the retina. People are identified by their blood vessels in their eyes. But there are complications, according to the Biometrics Institute:

“Retina recognition is one of the most accurate biometric applications but a number of common eye conditions and diseases (for example, cataracts, diabetes, glaucoma) can affect the arrangement of the blood vessels and consequently alter the pattern used for biometric recognition.”

Notice ID 70RDA126RFI000003: Yes, It’s an RFI, But That May Be a HUGE Multi-Biometric Matching System

An interesting Request for Information (Notice ID 70RDA126RFI000003) for a multi-biometric matching system was posted on SAM.gov on Friday, and it’s turning some heads. But is YOUR organization reading an RFI that is turning YOUR heads?

Bear in mind that this is a Request for INFORMATION, not a Request for PROPOSAL. And this is made clear in the document:

“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”

Forget the technical requirements…look at the BUSINESS requirements

Now I could get into the…um…minutiae of the request for information about a biometric matching system, the requirements for everything from presentation attack detection to on-premise/hybrid/cloud deployments, and a host of other things.

But in this case, the business requirements outweigh the technical requirements…by a LONG shot.

“The Department of Homeland Security (DHS) is seeking an enterprise-wide, scalable, and secure biometric matching software solution to support mission-critical identity verification, vetting, and investigative operations across all DHS Components, including CBP, ICE, TSA, USCIS, USSS, and Headquarters. The contractor will provide a DHS-wide enterprise license for multi-modal biometric matching software, along with all associated services, integration support, maintenance, and technical assistance necessary for full operational deployment.”

And in the next section:

“DHS is looking to acquire an enterprise-wide biometric matching software solution, including all licenses, services, and technical support necessary to enable seamless integration with all DHS biometric systems.”

Matching for ALL DHS components, and integration with ALL DHS biometric systems. This could just be a teeny system for limited operations…or it could be a super system. Since they’re asking about scalability, potential respondents should probably assume the latter.

So we’re talking loads of money.

Of course it could be scaled way down when or if a final RFP comes along. And maybe the vast expanse of the RFI is merely designed to get system integrators to drool.

But where does this leave the IDENT/HART battles?

What about YOUR RFI (and RFP) responses?

Incidentally, Bredemarket offers proposal services to assist identity/biometric vendors in RFI and RFP responses such as this one. Over the years my proposals have won over $50 million in business. Presumably the respondents to this RFI have full proposal staffs (or maybe not), but if YOUR organization requires RFI and RFP assistance, schedule a meeting with Bredemarket.

Bredemarket services, process, and pricing.

(2/17/2026: See Anthony Kimery’s assessment of the RFI here.)

Responsible Retail Artificial Intelligence

I missed this announcement in December, but it carries an important message.

“Gatekeeper Systems, a pioneer in intelligent theft prevention solutions, today announced a significant enhancement to its FaceFirst® platform with the integration of technology from ROC.”

That’s the firm formerly known as Rank One Computing.

The important message is deeper in the press release.

““Facial recognition in retail must be fast, accurate, and accountable,” said Robert Harling, CEO of Gatekeeper Systems. “By embedding ROC’s NIST-verified algorithm directly into FaceFirst, we’re giving retailers a system that performs in real time and stands up to public, operational, and legal scrutiny. It’s AI you can trust—and accuracy you can prove.””

The “accountable” and “prove” part comes from ROC’s demonstrated results in NIST FRTE testing. As well as the fact that people using Gatekeeper Systems now know whose facial recognition algorithm they’re using.

It still shocks me when a company says that they’re using an algorithm, but don’t say whose algorithm they’re using.

If you want to say the right stuff, Bredemarket can write your biometric company’s product marketing content.

Another Type of Interception: the Iris Template Replay Attack

While much of the world continues to play football, American “football” wrapped up this month at the professional level with the “Commercials, Concerts, And a Sports Show”(tm).

During the game, New England Patriots quarterback Drake Maye threw two interceptions, or throws that were received by players on the opposing them (the Seattle Seahawks).

But what if Maye were throwing iris templates? And what if the defending Seahawks used the intercepted data in injection attacks?

Bet you didn’t think I was going there.

Iris template replay attacks

Facial data (from companies such as FaceTec and iProov) isn’t the only type of data that can be protected by injection attack detection. You can inject data from any type of biometric to bypass the capture device.

One type of injection attack is a template replay attack. It works something like this:

  • For this example assume that I am a legitimate subject and an authorized user, and the biometric workstation captures my iris. 
  • Rather than sending the entire iris image to the server, it converts the image into a template, or a much smaller mathematical representation.
  • The biometric workstation transmits this template to the server. BUT…
  • The evil fraudsters use some type of malware to intercept my iris template and save it for future mischief. Unfortunately, unlike a football interception seen by over 100 million people, no one realizes that this iris “interception” happened.
  • Later, when a fraudster wants to gain access to the biometric system, they perform an injection attack. Rather than capturing the fraudster’s iris at a workstation and sending that template to the server, the fraudster performs a “replay” and “injects” my intercepted iris template into the workflow.
  • The server receives my iris template, thinks I am accessing the system, and authorizes access.
  • The fraudster does bad things.

Iris template replay attack detection

How do you prevent an iris template replay attack?

First you have to detect it. Perhaps the system can detect that the template is not from a current iris capture, or that the template originated somewhere other than an iris workstation.

Once you detect it, you can reject it. Fraudster denied.

Of course this applies to any biometric template: fingerprint, face, whatever.

Injection attack detection, when implemented, is just another tool embedded in the biometric product.

Biometric product marketing expert. Look at his eyes.

A Brief Note to My WordPress Subscribers

I often reshare my posts on social media, but sometimes I don’t.

This post won’t be reshared on Facebook, LinkedIn, YouTube, or anywhere else.

It’s specifically and only intended for Bredemarket’s WordPress subscribers.

The message?

Thank you.

If you’re of a certain age, enjoy this.

“Thank You,” Led Zeppelin. From Led Zeppelin II.

If you’re younger, enjoy this.

“Thank You,” Röyksopp. From The Inevitable End.

Privacy, by Google Gemini

Google’s concept:

“Abstract 3D render of a human silhouette made of shimmering frosted glass, iridescent light refracting through, symbolizing secure data encryption and zero-knowledge proofs, elegant and high-end.”

Personally I think it’s TOO abstract, but perhaps that’s just me.

I didn’t create a musical version of this on Instagram because stuff, but there’s a Facebook version here. Sadly non-embeddable…but that’s why you should join my Facebook Bredemarket Identity Firm Services group.

Why Would a Robot Fish?

Sadly the question “why would a robot fish?” was shared in a private Facebook group, so I cannot share the entire question with you. But I can share my response.

“Some humans don’t fish for food, but for relaxation. But if robots need downtime, it doesn’t have to be at a stream with a pole.”

After thinking, I composed the prompt for the Google Gemini picture that illustrates this post.

“Create a realistic picture of a robot by a stream in the woods, fishing. The eyes and other parts of the robot’s head indicate that its internal controls are in maintenance mode, or that the robot is ‘relaxing.’”

My own content creation process with Bredemarket includes a “sleep on it” step which lets my brain reset before taking a fresh look at the content.

The generative AI equivalent is to take the output from the initial prompt, start a new independent chat, and write a second prompt to re-evaluate the output of the first prompt.

Which I guess would be “fishing.”