Tag Archives: 6fa

“Somewhat You Why” in Minnesota

Remember my earlier post “‘Somewhat You Why,’ and Whether Deepfakes are Evil or Good or Both”?

When I posted it, I said:

I debated whether or not I should publish this because it touches upon two controversial topics: U.S. politics, and my proposed sixth factor of authentication. 

I eventually decided to share it on the Bredemarket blog but NOT link to it or quote it on my socials.

Well, I’m having the same debate with this post, which is ironic because I learned about the content via the socials. Not that I will identify the source, because it is from someone’s personal Facebook feed.

Just a random picture of Princess Diana. Public domain.

My earlier post analyzed my assumption that deepfakes are bad. It covered the end of National Science Foundation funding for deepfake research, apparently because deepfakes can be used as a form of First Amendment free speech.

Well, the same issue is appearing at the state level, according to the AP:

X Corp., the social media platform owned by Trump adviser Elon Musk, is challenging the constitutionality of a Minnesota ban on using deepfakes to influence elections and harm candidates, saying it violates First Amendment speech protections.

As I previously noted, this does NOT mean that X believes in a Constitutional right to financially defraud people.

  • Or do I have a Constitutional right to practice my freedom of religion by creating my own biometric-free voter identification card like John Wahl did?

Again, is it all about intent? Somewhat you why?

And if your firm provides facial recognition, how do you address such issues?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Lincoln’s laptop from Imagen 3)

“Somewhat You Why,” and Whether Deepfakes are Evil or Good or Both

I debated whether or not I should publish this because it touches upon two controversial topics: U.S. politics, and my proposed sixth factor of authentication.

I eventually decided to share it on the Bredemarket blog but NOT link to it or quote it on my socials.

Although I could change my mind later.

Are deepfakes bad?

When I first discussed deepfakes in June 2023, I detailed two deepfake applications.

One deepfake was an audio-video creation purportedly showing Richard Nixon paying homage to the Apollo 11 astronauts who were stranded on the surface of the moon.

  • Of course, no Apollo 11 astronauts were ever stranded on the surface of the moon; Neil Armstrong and Buzz Aldrin returned to Earth safely.
  • So Nixon never had to pay homage to them, although William Safire wrote a speech as a contingency.
  • This deepfake is not in itself bad, unless it is taught in a history course as true history about “the failure of the U.S. moon program.” (The Apollo program had a fatal catastrophe, but not involving Apollo 11.)

The other deepfake was more sinister.

In early 2020, a branch manager of a Japanese company in Hong Kong received a call from a man whose voice he recognized—the director of his parent business. The director had good news: the company was about to make an acquisition, so he needed to authorize some transfers to the tune of $35 million….The manager, believing everything appeared legitimate, began making the transfers.

Except that the director wasn’t the director, and the company had just been swindled to the tune of $35 million.

I think everyone knows now that deepfakes can be used for bad things. So we establish standards to determine “content provenance and authenticity,” which is a fancy way to say whether content is real or a deepfake.

In addition to establishing standards, we do a lot of research to counter deepfakes, because they are bad.

Or are they?

What the National Science Foundation won’t do

Multiple sources, including both Nextgov and Biometric Update, are reporting on the cancellation of approximately 430 grants from the National Science Foundation. Among these grants are ones for deepfake research.

Around 430 federally-funded research grants covering topics like deepfake detection, artificial intelligence advancement and the empowerment of marginalized groups in scientific fields were among several projects terminated in recent days following a major realignment in research priorities at the National Science Foundation.

As you can probably guess, the cancellation of these grants is driven by the Trump Administration and the so-called Department of Government Efficiency (DOGE).

Why?

Because freedom:

Per the Presidential Action announced January 20, 2025, NSF will not prioritize research proposals that engage in or facilitate any conduct that would unconstitutionally abridge the free speech of any American citizen. NSF will not support research with the goal of combating “misinformation,” “disinformation,” and “malinformation” that could be used to infringe on the constitutionally protected speech rights of American citizens across the United States in a manner that advances a preferred narrative about significant matters of public debate.

The NSF argues that a person’s First Amendment rights permit them, I mean permit him, to share content without having the government prevent its dissemination by tagging it as misinformation, disinformation, or malinformation.

And it’s not the responsibility of the U.S. Government to research creation of so-called misinformation content. Hence the end of funding for deepfake research.

So deepfakes are good because they’re protected by the First Amendment.

But wait a minute…

Just because the U.S. Government doesn’t like it when patriotic citizens are censored from distributing deepfake videos for political purposes, that doesn’t necessarily mean that the U.S. Government objects to ALL deepfakes.

For example, let’s say that a Palm Beach, Florida golf course receives a video message from Tiger Woods reserving a tee time and paying a lot of money to reserve the tee time. The golf course doesn’t allow anyone to book a tee time and waits for Tiger’s wire transfer to clear. After the fact, the golf course discovers that (a) the money was wired from a non-existent account, and (b) the person making the video call was not Tiger Woods, but a faked version of him.

I don’t think anyone in the U.S. Government or DOGE thinks that ripping off a Palm Beach, Florida golf course is a legitimate use of First Amendment free speech rights.

So deepfakes are bad because they lead to banking fraud and other forms of fraud.

This is not unique to deepfakes, but is also true of many other technologies. Nuclear technology can provide energy to homes, or it can kill people. Facial recognition (of real people) can find missing and abducted persons, or it can send Chinese Muslims to re-education camps.

Let’s go back to factors of authentication and liveness detection

Now let’s say that Tiger Woods’ face shows up on YOUR screen. You can use liveness detection and other technologies to determine whether it is truly Tiger Woods, and take action accordingly.

  • If the interaction with Woods is trivial, you may NOT want to spend time and resources to perform a robust authentication.
  • If the interaction with Woods is critical, you WILL want to perform a robust authentication.

It all boils down to something that I’ve previously called “somewhat you why.”

Why is Tiger Woods speaking?

  • If Tiger Woods is performing First Amendment-protected activity such as political talk, then “somewhat you why” asserts that whether this is REALLY Woods or not doesn’t matter.
  • If Tiger Woods is making a financial transaction with a Palm Beach, Florida golf course, then “somewhat you why” asserts that you MUST determine if this is really Woods.

It’s simple…right?

What about your deepfake solution?

Regardless of federal funding, companies are still going to offer deepfake detection products. Perhaps yours is one of them.

How will you market that product?

Do you have the resources to market your product, or are your resources already stretched thin?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Lincoln’s laptop from Imagen 3)

You Can’t Prove that an International Mobile Equipment Identity (IMEI) Number is Unique

I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)

When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

But I missed one thing in that discussion, so I wanted to revisit it.

Understanding IMEI Numbers

Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.

Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.

Let’s start off with the high level explanation.

IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.

Now some of you who are familiar with biometrics are saying, “Hold it right there.”

  • Have we ever PROVEN that fingerprints are unique?
  • And I’m not just talking about Columbia undergrads here.
  • Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?

But let’s stick to phones, Johnny.

Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.

This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.

What about IMEIs?

Are IMEIs unique?

I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.

  • Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
  • And even within the make and model, by definition no two phones can have the same serial number.

Why not? Because everyone says so.

It’s even part of the law.

Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.

IMEIs in India

To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:

So what?

A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:

The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….

A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.

IMEIs in Canada

“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”

O Canada?

A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.

“I didn’t have any doubt that it was real,” Boyd told Global News….

The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.

Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.

IMEIs in general

Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.

In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.

The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.

Again, NOTHING provides 100.00000% security. Not even an IMEI number.

What this means for IMEI uniqueness claims

So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.

Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”

But I wouldn’t discuss war plans on such a device.

(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)

Oh, and since I mentioned pocket calculators…excuse me, calcolatrici tascabili

KYV: Know Your (Healthcare) Visitor

Who is accessing healthcare assets and data?

Healthcare identity verification and authentication is often substandard, as I noted in a prior Bredemarket blog post entitled “Medical Fraudsters: Birthday Party People.” In too many cases, all you need to know is a patient’s name and birthdate to obtain fraudulent access to the patient’s protected health information (PHI).

But healthcare providers need to identify more than just patients. Providers need to identify their own workers, as well as other healthcare workers.

Know Your Visitor

Healthcare providers also need to identify visitors. When a patient is in a hospital, a rehabilitation facility, or a similar place, loved ones often desire to visit them. (So do hated ones, but we won’t go there now.)

I was recently visiting a loved one in a facility that required identification of visitors. The usual identification method was to present a driver’s license at the desk. The staffer would then print out a paper badge showing the visitor’s name and the validity date.

Like this…

John Bederhoft?

So John “Bederhoft” (sic) enjoyed access that day. Whoops.

Oh, and I could have handed my badge to someone else after a shift change, and no one would have been the wiser.

Let’s apply “somewhat you why”

There’s a more critical question: WHY was John “Berdehoft” visiting (REDACTED PHI)? Was I a relative? A friend? A bill collector? 

My proposed sixth factor of identity verification/authentication, “somewhat you why,” would genuinely help here. 

Somewhat you why “applies a test of intent or reasonableness to any identification request.” 

Maybe I should have said “and” instead of “or.”

  • Visiting a relative shows intent AND reasonableness.
  • Visiting a debtor shows intent but (IMHO) does NOT show reasonableness.

Do you need to analyze healthcare identity issues for your healthcare product or service? Or create go-to-market content for the same? Or proposals?

Contact me at Bredemarket’s “CPA” page.

Do All 5 Identity Factors Apply to Non-Human Identities?

I’ve talked ad nauseam about the five factors of identity verification and authentication. In case you’ve forgotten, these factors are:

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

I’ll leave “somewhat you why” out of the discussion for now, but perhaps I’ll bring it back later.

These five (or six) factors are traditionally used to identify people.

Identifying “Non-Person Entities”

But what happens when the entity you want to identify is not a person? I’ll give two examples:

Kwebbelkop AI? https://www.youtube.com/watch?v=3l4KCbTyXQ4.
  • Kwebbelkop AI, discussed in “Human Cloning Via Artificial Intelligence: It’s Starting,” is not a human. But is there a way to identify the “real” Kwebbelkop AI from a “fake” one?
  • In “On Attribute-Based Access Control,” I noted that NIST defined a subject as “a human user or NPE (Non-Person Entity), such as a device that issues access requests to perform operations on objects.” Again, there’s a need to determine that the NPE has the right attributes, and is not a fake, deep or shallow.

There’s clearly a need to identify non-person entities. If I work for IBM and have a computer issued by IBM, the internal network needs to know that this is my computer, and not the computer of a North Korean hacker.

But I was curious. Can the five (or six) factors identify non-person entities?

Let’s consider factor applicability, going from the easiest to the hardest.

The easy factors

  • Somewhere you are. Not only is this extremely applicable to non-person entities, but in truth this factor doesn’t identify persons, but non-person entities. Think about it: a standard geolocation application doesn’t identify where YOU are. It identities where YOUR SMARTPHONE is. Unless you have a chip implant, there is nothing on your body that can identify your location. So obviously “somewhere you are” applies to NPEs.
  • Something you have. Another no brainer. If a person has “something,” that something is by definition an NPE. So “something you have” applies to NPEs.
  • Something you do. NPEs can do things. My favorite example is Kraftwerk’s pocket calculator. You will recall that “by pressing down this special key it plays a little melody.” I actually had a Casio pocket calculator that did exactly that, playing a tune that is associated with Casio. Later, Brian Eno composed a startup sound for Windows 95. So “something you do” applies to NPEs. (Although I’m forced to admit that an illegal clone computer and operating system could reproduce the Eno sound.)
Something you do, 1980s version. Advance to 1:49 to hear the little melody. https://www.youtube.com/watch?v=6ozWOe9WEU8.
Something you do, 1990s version. https://www.youtube.com/watch?v=miZHa7ZC6Z0.

Those three were easy. Now it gets harder.

The hard factors

Something you know. This one is a conceptual challenge. What does an NPE “know”? For artificial intelligence creations such as Kwebbelkop AI, you can look at the training data used to create it and maintain it. For a German musician’s (or an Oregon college student’s) pocket calculator, you can look at the code used in the device, from the little melody itself to the action to take when the user enters a 1, a plus sign, and another 1. But is this knowledge? I lean toward saying yes—I can teach a bot my mother’s maiden name just as easily as I can teach myself my maiden name. But perhaps some would disagree.

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

That’s all five factors, right?

Well, let’s look at the sixth one.

Somewhat you why

You know that I like the “why” question, and some time ago I tried to apply it to identity.

  • Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
  • Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
  • Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

The first example is fundamental from an identity standpoint. It’s taken from real life, because I had never used any credit card in Atlantic City before. However, there was data that indicated that someone with my name (but not my REAL ID; they didn’t exist yet) flew to Atlantic City, so a reasonable person (or identity verification system) could conclude that I might want to eat while I was there.

But can you measure intent for an NPE?

  • Does Kwebbelkop AI have a reason to perform a particular activity?
  • Does my pocket calculator have a reason to tell me that 1 plus 1 equals 3?
  • Does my ceramic plate have a reason to stay intact when I drop it ten meters?

I’m not sure.

By Bundesarchiv, Bild 102-13018 / CC-BY-SA 3.0, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=5480820.

Announcing a WhatsApp Channel for Identity, Biometrics, ID Documents, and Geolocation

From NIST.

I’ve previously stated that Bredemarket is present on a bunch of social platforms.

Well, if you’re a subscriber to the Bredemarket mailing list, or to the Bredemarket Threads account, then you already know what I’m about to say. Bredemarket is now on one additional social platform…kinda sorta.

I’ll explain:

  • What WhatsApp channels are.
  • How this impacted me.
  • Most importantly, why this may, or may not, impact you.

(Long-time readers of the Bredemarket blog see what I did there. In reverse.)

What are WhatsApp channels?

Meta, the company that owns Facebook, Instagram, WhatsApp, Threads, and half the known universe, wants to keep people on those social platforms. They can check out any time they like, but they can never leave.

Scanned by Wikipedia user David Fell from the CD cover, Fair use, https://en.wikipedia.org/w/index.php?curid=14790284

So now WhatsApp, the service that was originally intended for PRIVATE communications between people that knew each other’s phone numbers, is now your latest source for Kardashians news. Seriously; there are millions of people who follow the Daily Mail’s “Kardashians News” channel.

No, this is NOT a Kardashian (yet), but this is something that @cultpopcult would post (with a misattribution) so I’m doing it myself. By Office of Congressman Greg Steube – https://twitter.com/RepGregSteube/status/1451579098606620673, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112088903

Some people are kinda sorta breathless about this, if you take the IMM Institute’s LinkedIn article “WhatsApp Channels: Revolutionising Business Communication” as evidence.

WhatsApp, a widely used messaging platform, has recently introduced a revolutionary feature known as WhatsApp Channels. This innovation empowers businesses to thrive by effectively communicating with a broader audience, sharing vital information, and engaging with customers in a more personalised and efficient manner.

From LinkedIn.

Revolutionary? Frankly, this isn’t any more revolutionary than the similar broadcasting feature in Instagram, with one important difference: not everyone can create an Instagram channel, but anyone with WhatsApp channel access can set up their own channel.

    Which got me thinking.

    How I was impacted by WhatsApp Channels

    I began mulling over whether I should create my own WhatsApp channel, but initially decided against it. Bredemarket has enough social media properties already, and the need to put Bredemarket stuff on WhatsApp is not pressing (the “100” WhatsApp group members get enough Bredemarket stuff already). The chances of someone ONLY being on WhatsApp and not on ANY other channel are slim.

    I’d just follow the existing WhatsApp channels on identity, biometrics, and related topics.

    But I couldn’t find any.

    So I created my own channel last Friday entitled “Identity, Biometrics, ID Documents, and Geolocation.”

    Why should you care?

    Why should you care about my WhatsApp identity channel? Maybe you SHOULDN’T.

    If you don’t use WhatsApp, ignore the WhatsApp channel.

    If you use WhatsApp but have other sources for identity industry information (such as my Facebook group/LinkedIn page), ignore the WhatsApp channel.

    But if you love WhatsApp AND identity, here is the follow link for “Identity, Biometrics, ID Documents, and Geolocation.”

    https://whatsapp.com/channel/0029VaARoeEKbYMQE9OVDG3a

    No, I Don’t Need Two Refrigerators

    In some cases, a customer’s purchase of a particular product or service indicates possible future interest in that same product or service.

    But this indicator only goes so far.

    If you just purchased an expensive item such as a refrigerator or a car or a house, chances are you’re not in the market for a second refrigerator or car or house.

    Arthur “Two Sheds” Jackson (a Monty Python character who became a beer) is a notable exception to the rule. From https://untappd.com/b/ganz-anders-brau-arthur-two-sheds-jackson/4055802

    But some companies don’t understand that high priced items are not usually purchased in bulk. According to a parcelLabs emotional shipping experience study:

    People have lost patience with brands who send incorrect or inaccurate marketing materials. In fact, brands that do this are driving their customers away.

    Of the 49% that say they were incorrectly targeted to in the last six months, 42% said they immediately unsubscribed from the brand’s marketing content. Another 24% chose to block the brand on social media!

    43% said that they received marketing for a product they’d already bought.

    You have to be more intelligent in your customer focus. Once a customer has purchased an item, they may—or may not—need a second one. In a different context, I have referred to this as “somewhat you why,” or the need to understand the intent of what someone is doing.

    If I’m standing outside my former employer’s office with some computer equipment, perhaps I’m returning equipment to my former employer.

    If I’m purchasing a refrigerator, in most cases I’m not contemplating purchase of a second one immediately.

    Although if I’m opening a chain of restaurants…

    From By Id1337x – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=6354368

    There Are Just Five Factors of Authentication. (I want the job.)

    As some of you know, I’m seeking full-time employment after my former employer let me go in late May. As part of my job search, I was recently invited to a second interview for a company in my industry. Before that interview, I made an important decision about how I was going to present myself.

    If you’ve read any of Bredemarket’s content, there are times when it takes a light tone, in which wildebeests roam the earth while engaging in marketing activities such as elaborating the benefits of crossing the stream.

    By Danijel Mihajlovic – https://thenextcrossing.com/wildebeest-migration-kenya, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=96024366

    Some of that DOES NOT fly in the corporate world. (For most companies, anyway.) If you analyze a wide selection of corporate blogs, you won’t see the word “nothingburger.” But you do here.

    So as I prepared for this important job interview, I made sure that I was ready to discuss the five factors of authentication, and my deep experience as an identity content marketing expert with many of those factors.

    The five factors of authentication, of course, are:

    • Something you know.
    • Something you have.
    • Something you are.
    • Something you do.
    • Somewhere you are.

    “But wait a minute,” some of you are saying. “Didn’t you just say that there is a sixth factor of authentication, ‘Somewhat you why?'”

    For the purposes of this job interview, there isn’t! I confined myself to the five factors only during the discussion, using examples such as passwords, driver’s licenses, faces, actions, and smartphone geolocation information.

    But in the end, my caution was of no avail. I DIDN’T make it to the next stage of interviews.

    Maybe I SHOULD have mentioned “Somewhat you why” after all.

    Bredemarket’s Name for the Sixth Factor of Authentication

    Depending upon whom you ask, there are either three or five factors of authentication.

    Unless you ask me.

    I say that there are six.

    Let me explain.

    First I’ll discuss what factors of authentication are, then I’ll talk about the three factor and five factor school, then I’ll briefly review my thoughts on the sixth factor—now that I know what I’ll call it.

    What are factors of authentication?

    Before proceeding to factors of authentication, let’s review TechTarget’s definition of authentication.

    Authentication is the process of determining whether someone or something is, in fact, who or what it says it is.

    From https://www.techtarget.com/searchsecurity/definition/authentication

    For purposes of this post I’m going to stay away from the “something” part and concentrate on the “someone” part.

    By USA International Trade Administration – https://www.youtube.com/watch?v=GLKDFhCjaY4, Public Domain, https://commons.wikimedia.org/w/index.php?curid=67067635

    For example, if Warren Buffett has a bank account, and I claim that I am Warren Buffett and am entitled to take money from that bank account, I must complete an authentication process to determine whether I am entitled to Warren Buffett’s money. (Spoiler alert: I’m not.)

    So how do I authenticate? There are many different ways to authenticate, which can be grouped into several authentication factors. Here’s how Sumo Logic defines “authentication factor.”

    An authentication factor is a special category of security credential that is used to verify the identity and authorization of a user attempting to gain access, send communications, or request data from a secured network, system or application….Each authentication factor represents a category of security controls of the same type. 

    From https://www.sumologic.com/glossary/authentication-factor/

    When considering authentication factors, the whole group/category/type definition is important. For example, while a certain system may require both a 12-character password and a 4-digit personal identification number (PIN), these are pretty much the same type of authentication. It’s just that the password is longer than the PIN. From a security perspective, you don’t gain a lot by requiring both a password and a PIN. You would gain more by choosing a type of authentication that is substantially different from passwords and PIN.

    How many factors of authentication are there?

    So how do we define the factors of authentication? Different people have different definitions.

    Three factors of authentication

    For the most part, I believe that everyone agrees on at least three factors of authentication. As I noted in a prior post on factors of authentication, NIST defines the following three factors:

    Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

    From https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication, cited in https://bredemarket.com/2022/03/19/remember-the-newer-factors-of-authentication/

    Note that NIST’s three factors are very different from one another. Knowing something (such as a password or a PIN) differs from having something (such as a driver’s license) or being something (a fingerprint or a face).

    But some people believe that there are more than three factors of authentication.

    Five factors of authentication

    Let’s add two factors to the definition trumpeted by NIST. People such as The Cybersecurity Man have included all five in their definition.

    • Something you know.
    • Something you have.
    • Something you are.
    • Something you do.
    • Somewhere you are.

    For more information, see my March 2021 post on the five factors of authentication.

    But are there only five?

    Six factors of authentication

    In April 2022, I began wondering if there is a sixth authentication factor. While I struggled to put it into the “some xxx you xxx” format, I was able to encapsulate what this sixth factor was.

    What about the authentication factor “why”?

    This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

    From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/
    Why is this man smoking a cigarette outdoors? By Marek Slusarczyk, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=108924712

    Over the months, I struggled through some examples of the “why” factor.

    • Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
    • Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
    • Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

    As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).

    And the sixth factor of authentication is called…

    You’ll recall that I wanted to cast this sixth authentication factor into the “some xxx you xxx” format.

    So, as of today, here is the official Bredemarket list of the six factors of authentication:

    • Something you know.
    • Something you have.
    • Something you are.
    • Something you do.
    • Somewhere you are.

    (Drumroll…)

    • Somewhat you why.

    Yes, the name of this factor stands out from the others like a sore thumb (probably a loop).

    From NIST’s FpVTE documentation https://www.nist.gov/system/files/documents/2021/07/19/ir_7123b_fpvte.pdf

    However, the performance of this factor stands out from the others. If we can develop algorithms that accurately measure the “why” reasonableness of something as a way to authenticate identity, then our authentication capabilities will become much more powerful.

    Testing My Sixth Authentication Factor on One Real and Two Imagined Corporate Office Visits

    This is the third post in a series on my proposed sixth factor of authentication.

    Perhaps you’ve heard people say there are three factors of authentication, or four factors of authentication, or five factors of authentication.

    But what if there are six?

    I know what you’re thinking, punk. You’re thinking: did he define 6 factors of authentication, or only 5? (Repurposing Dirty Harry, whose sixth bullet must have 404’ed.)

    By unknown – Screenshot from the DVD version of the 1971 film Dirty Harry, extracted from Harry’s infamous “do ya feel lucky” monologue, Fair use, https://en.wikipedia.org/w/index.php?curid=6867681

    Introduction: what are factors of authentication, anyway?

    Authentication is the process of determining whether a person is truly THE person who is associated with a particular account, such as a computer login or a bank account.

    Five authentication factors

    There are many ways in which you can authenticate yourself, but (as I previously noted before starting the “6fa” series) all of these methods fall into up to five general categories, or “factors.”

    1. Something you know.
    2. Something you have.
    3. Something you are.
    4. Something you do.
    5. Somewhere you are.

    By the way, if you provide a password, a PIN, your mother’s maiden name, and the name of your favorite pet, that is not four authentication factors, but four instances of the same authentication factor (something you know). And this is not a recipe for robust security.

    From https://www.nist.gov/news-events/news/2009/04/new-nist-guidelines-organization-wide-password-management

    For another example of multiple uses of the same factor, see kao’s post in Life in Hex.

    What if there is a sixth authentication factor?

    In April 2022, while I was consulting for the identity industry but not employed by it, I proposed a sixth authentication factor.

    I’d like to propose a sixth authentication factor.

    What about the authentication factor “why”?

    This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

    From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/

    Testing my theory

    Two months later, I was employed in the identity industry, and therefore Bredemarket was pivoting away from identity consulting. But I was still musing about identity topics that had nothing to do with my employment, and decided to test my sixth authentication factor theory on a case in which a person, or possibly multiple persons, were boarding buses.

    After I laid out the whole story, which involved capturing the times at which a person (or persons) boarded a bus, I wondered if there were really just five authentication factors after all.

    Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”

    From https://bredemarket.com/2022/07/24/testing-my-sixth-authentication-factor-on-omnitrans-bus-passes/

    So I tried to think of a “why” action that couldn’t be classified as “something you do.” But I didn’t think that hard, because I was busy in my day job, and I didn’t really need 6fa in my non-identity consulting work.

    Well, that changed. So I’m revisiting the 6fa issue again, and this time I’ve devised a new test in which I visit two buildings over the course of three months. Can the sixth authentication factor truly confirm or deny my identity?

    Why am I visiting a corporate office?

    For this test, I will examine three instances—one real, two imagined—in which I visited a corporate office associated with a well-known identity verification firm.

    No, not THAT firm. By Arne Müseler / http://www.arne-mueseler.com, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=78985341

    As I consider whether I should be authenticated to enter the facility in question, I will use my proposed “why?” factor to measure whether there is a reasonable intent for me to be present, which could determine whether I pass or fail authentication.

    Visit number one, April 2023

    This visit really happened. One day I presented myself at a corporate office to be authenticated for entry.

    If we use my six factors of authentication, should I be allowed in?

    Let’s start with the first five factors:

    • Something you know, have, and are. Without disclosing confidential information about the corporate office’s security procedures, I can simply say that I satisfied all three of these factors.
    • Something you do. It is a matter of public record that the corporation that controls this corporate office does not employ active liveness, but instead employs passive liveness. Therefore I can disclose that when visiting this corporate office, I didn’t have to shake my head in one hundred different directions to prove that I was a live person.
    • Somewhere you are. It sounds silly, but let’s ask the question anyway. If I want to physically enter a corporate office, am I at that corporate office? It is possible to detect that my phone is there (something you have), but does that necessarily mean that I am there (something you are)? To simplify things, let’s assert that I passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

    Now let’s apply the sixth factor, why/intent/reasonableness. Was there a reason why I was standing outside the office door?

    In this case, there was a reason why I was there. I was a member of the Marketing Department, and the entire Marketing Department was gathering for a week-long meeting at the corporate office. So my presence there was legitimate.

    Authentication: PASSED.

    Visit number two, June 2023

    This visit never happened except in my imagination. But would would have occurred if I had presented myself at the corporate office this month?

    Let’s start by going through the five authentication factors again.

    • Something you know, have, and are. Without disclosing confidential information, I can simply say that in this instance I would have failed at least one of the three authentication factors. Obviously not the “something you are” factor, since I was still the same person that I was two months previously, but I would have failed at least one of the other two.
    • Something you do. Again, no liveness testing, so “something you do” would not apply.
    • Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

    So I’ve already failed one or two of the five authetication factors, but would I fail the sixth?

    Yes, because there was no valid reason for me to enter the corporate office.

    Why not?

    Because by June 2023 I was no longer an employee, and therefore had no intent or reason to visit the corporate office. I didn’t work there, after all.

    (And incidentally, this is why I would have failed one or two of the other authentication factors. Because I was no longer an employee, I no longer knew something and/or had something I needed to enter the office.)

    Authentication: FAILED.

    Visit number three, June 2023

    This visit never happened either, except in my imagionation. Let’s assume all of the facts from visit number two, with one critical exception: I arrived at the corporate office carrying computer equipment.

    So how does the authentication process unfold now?

    • Something you know, have, and are. The presence of computer equipment would not have changed these three authentication factors. I still would have passed the “something you are” factor and failed one or both of the other two. (In this instance, computer equipment does not count as “something you have.”)
    • Something you do. Again, no liveness testing, so “something you do” would not apply.
    • Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

    Now let’s turn to the sixth authentication factor. No, I am not a current employee who is usually entitled to visit the corporate office, but my possession of computing equipment introduces a new variable into the why/intent/reasonableness factor.

    Why? Because the computer equipment belonged to the company, and in this instance I would have been visiting the corporate office to return the computer equipment to the company.

    Authentication: PASSED.

    So I guess there IS a sixth authentication factor

    And there you have it.

    In visits number two and three, all of the standard five authentication factors provided identical results. In both instances:

    • I passed the something you are test.
    • I failed the something you know and/or the something you have test.
    • Something you do was never tested.
    • I passed the somewhere you are test.

    But for visit number two authentication failed, while for visit number three authentication passed, solely on the basis of the sixth authentication factor. I had no valid reason to be at the corporate office…except to return the company’s equipment.

    So the sixth authentication factor exists in theory, but it will take some work to make it a reality.

    By en:User:Cburnett – This W3C-unspecified vector image was created with Inkscape ., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1496812

    So now how do I make a ton of money by bringing this sixth authentication factor to market?

    As I said over a year ago…

    Maybe I should speak to a patent attorney.

    From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/