access control – Bredemarket

Move Fast And DON’T Break Things: IK Ratings

Trade shows for outdoor-grade access control devices can be fun. When I attended an ISC West conference many years ago, our booth staff occupied ourselves with dropping steel weights on biometric access control devices.

Because that’s cool.

And that’s an effective way to prove that access control devices can survive harsh environments.

Of course there’s a standard for impact resistance (IEC 62262), and Stratasys explains how the “IK” ratings work and are applied. In essence, the tests involve…dropping steel weights. It’s science, folks.

“The test apparatus includes pendulum hammers or steel spheres of different weights (from 0.25 kg to 5 kg) that strike the device with precisely measured kinetic energy.”

The impact energy is measured in joules, and the higher the joules that resist impact, the higher the IK rating. A few applications and examples:

Consumer-grade smartphones and tablets are usually IK04 to IK05, or 0.5 to 0.7 joules.
Outdoor security devices (biometric readers, cameras) and construction-grade tablets are usually IK06 to IK07, or 1-2 joules.
“Industrial strength” devices are usually IK08, or 5 joules. The test case: “surviving a direct hit from a 1.7 kg hammer dropped from 30 cm.”
“Indestructible.” Once you go to IK09-IK10, or 10-20 joules, you’re talking about the ability to “survive a 5 kg hammer dropped from 40 cm.” Military stuff. Prison stuff. If you need IK10 devices, I probably don’t want to know about it.

Now we could wish that our smartphones were IK10, but we wouldn’t want to pay the premium price for it. So we reduce our expectations to fit our budget. But not too much: putting an indoor device at a building door is false economy.

Who or What Requires Authorization?

There are many definitions of authorization, but the one in RFC 4949 has the benefit of brevity.

“An approval that is granted to a system entity to access a system resource.”

Non-person Entities Require Authorization

Note that it uses the word “entity.” It does NOT use the word “person.” Because the entity requiring authorization may be a non-person entity.

I made this point in a previous post about attribute-based access control (ABAC), when I quoted from the 2014 version of NIST Special Publication 800-162. Incidentally, if you wonder why I use the acronym NPE (non-person entity) rather than the acronym NHI (non-human identity), this is why.

“A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes.”

If you have a process to authorize people, but don’t have a process to authorize bots, you have a problem. Matthew Romero, formerly of Veza, has written about the lack of authorization for non-human identities.

“Unlike human users, NHIs operate without direct oversight or interactive authentication. Some run continuously, using static credentials without safeguards like multi-factor authentication (MFA). Because most NHIs are assigned elevated permissions automatically, they’re often more vulnerable than human accounts—and more attractive targets for attackers.

“When organizations fail to monitor or decommission them, however, these identities can linger unnoticed, creating easy entry points for cyber threats.”

Veza recommends that people use a product that monitors authorizations for both human and non-human identities. And by the most amazing coincidence, Veza offers such a product.

People Require Authorization

And of course people require authorization also. They need authorization:

To drive. Are unified digital IDs a thing?
To satisfy health regulations (which may come back). Update on Covishield and the EUDCC, as long as you can prove you were born.
To participate in the Federal Risk and Authorization Management Program (FedRAMP^®). A Few Thoughts on FedRAMP.
For the aforementioned ABAC. On Attribute-Based Access Control.
For healthcare needs such as prescriptions. Saving Money When Filling Prescriptions: Not You, The Companies.
When assessing TPRM. Driver’s License Data and Third Party Risk Management.
To verify legal capability for employment. What is the Form I-9?
To talk to customer support. HP Instant Ink Users and Identity: 1:1 Person-to-NPE Binding Isn’t Always Enough.
To launch nuclear weapons. Biscuit-based Identity Authentication and Authorization.
Oh yeah…and to access privileged resources on corporate networks.

It’s not enough to identify or authenticate a person or NPE. Once that is done, you need to confirm that this particular person has the authorization to…launch a nuclear bomb. Or whatever.

Your Customers Require Information on Your Authorization Solution

If your company offers an authorization solution, and you need Bredemarket’s content, proposal, or analysis consulting help, talk to me.

What Is Your Intent?

The Grok version of the Bredemarket blog post at https://bredemarket.com/2025/12/10/access-and-somewhat-you-why/

Grok.

Access and “Somewhat You Why”

In case you missed it, I’ve been pushing a sixth factor of authentication called “Somewhat You Why.”

“As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).”

And now Identity Jedi Harvey Lee is also asking the “why” question, but specifically in terms of access control.

“[B]ecause we couldn’t determine why someone needed access, we built systems that tried to guess the answer for us….

“Roles were never about “least privilege.” Roles were our attempt to predict intent at scale. And like most predictions, especially in complex systems, they were right until they weren’t….

“Instead of front-loading permissions for every possible future scenario, we authorize the current scenario. Identity might still be the new perimeter — but intent is the new access key.”

Read “Intent Is the New Access Key.”

For example, if a dehydrated man wants to unlock a water tank, I have a pretty good idea of his intent.

The Healthy Otter: When AI Transcriptions are HIPAA Compliant

When I remember to transcribe my meetings, and when I CAN transcribe my meetings, my meeting transcriber of choice happens to be otter.ai. And if I’m talking to a healthcare prospect or client, and when they grant permission to transcribe, the result is HIPAA compliant.

Otter.ai explains the features that provide this:

Getting HIPAA compliant wasn’t just about checking a box – we’ve implemented some serious security upgrades:

Better encryption to keep protected health information (PHI) locked down

Tighter access controls so only the right people see sensitive data

Team training to make sure everyone knows HIPAA inside and out

Regular security audits to stay on top of our game

This builds on our existing SOC 2 Type II certification, so you’re getting enterprise-grade security across the board.

HIPAA privacy protections affect you everywhere.

The Quantum Fraudster: Why RSA-4096 and Your Strongest Passwords Will Soon Be Trivial to Break

Are your fraud protections obsolete before the quantum era even begins? I previously wrote about algorithms that purport to protect against quantum-powered fraud. See my October post “Is the Quantum Security Threat Solved Before It Arrives? Probably Not.”

Let’s take a step back from Module-Lattice-Based Digital Signature Standards (NIST FIPS 204) and see what quantum-infused fraudsters can do to bypass your security protections. Your “practically unbreakable” security system today may be wide open in 10 years…or 5 years.

Shor’s Algorithm

To understand how fraud can occur, you need to understand (Peter) Shor’s Factoring Algorithm.

Peter Shor speaking after receiving the 2017 Dirac Medal from the ICTP. By International Centre for Theoretical Physics, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=75565986.

According to Classiq, Shor’s Factoring Algorithm can find the prime factors of any number, including very large numbers.

“Factoring numbers with Shor’s algorithm begins with selecting a random integer smaller than the number to be factored. The classically-calculated greatest common divisor (GCD) of these two numbers, the random number and the target number, is then used to determine whether the target number has already been factored accidentally. For smaller numbers, that’s a possibility. For larger numbers, a supercomputer could be needed. And for numbers that are believed to be cryptographically secure, a quantum computer will be needed.”

So what? I appreciate that people like the late Richard Crandall were into finding prime numbers with 20th century technology, but how does that relate to whether a fraudster can drain my bank account?

Breaking RSA encryption

It definitely relates, according to the MIT Technology Review. This article was written back in 2019.

“[C]omputer scientists consider it practically impossible for a classical computer to factor numbers that are longer than 2048 bits, which is the basis of the most commonly used form of RSA encryption.

“Shor showed that a sufficiently powerful quantum computer could do this with ease, a result that sent shock waves through the security industry.

“And since then, quantum computers have been increasing in power. In 2012, physicists used a four-qubit quantum computer to factor 143. Then in 2014 they used a similar device to factor 56,153.”

The largest recent record number that I found was 261,980,999,226,229, as described in this paper. It should be noted that many of these numbers were factored by a variety of methods: using a pure Shor’s Factoring Algorithm, the maximum number factored so far is 21.

What does this mean?

So what does this mean for 2048-bit encryption? 2048 bits is equivalent to hundreds of decimal digits. I’ve found different numbers of decimal digits, but for all practical purposes I can’t calculate them anyway. Heck, I can’t calculate trillions in my head. And there’s RSA-4096 encryption, but…well, we’ll get to that.

But when quantum calculating abilities can crack algorithms, then it’s trivial to compute the number of combinations to crack an encryption…or guess a password…or generate a face.

From Microchip:

“Brute force attacks function by calculating every possible combination of passwords. As the password’s strength increases, the amount of time to crack it increases exponentially. So, in theory, if hackers tried to brute force their way into a key with AES-128 encryption, it would take approximately 1 billion years to crack with the best hardware available today [2023].

“But what if we lived in a post-quantum computing world? How long would a brute-force attack on popular cypher technologies take?…[We’re] likely still a decade or two away from Quantum computers that can easily break many of the cypher technologies in use today….

“[I]n a recently published report from Global Risk Institute (GRI), the time to break RSA-4096, which is practically impossible to break with classical computing technology, is under three days with a theoretical 1 megaqubit computer. While we are still a long way from a 1 megaqubit computer, the resources and time required are reducing rapidly at the same time we see advancements in Quantum computing which are in development.”

Yes, even RSA-4096 is vulnerable.

Now many claim that AES encryption such as AES-256 is quantum resistant, but even AES may have been breached, if you believe the claims of Chinese researchers. (But that’s a big if.)

I have no idea how much lattice-based access control mitigates these threats, but if you go around saying that strong encryption will never be broken, you are a fool.

What is the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard?

In this edition of The Repurposeful Life, I’m revisiting a prior post (“Is the Quantum Security Threat Solved Before It Arrives? Probably Not.“) and extracting just the part that deals with the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 204.

Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”

The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:

“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”

ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”

Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.

But wait, there’s more!

Since I wrote my original post in October, I’ve read NordVPN’s definition of a lattice on its lattice-based access control (LBAC) page.

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

You can see how this fits into an access control mechanism, whether you’re talking about a multi-tenant cloud (NordVPN’s example) or a smartcard (Thales’ example).

Because there are some things that Tom Sawyer can access, but Injun Joe must not access.

Access

Access by the biometric product marketing expert bredemarket.com/mark

Access.

Technology Product Marketing Expert

Are you a technology marketing leader, struggling to market your products to your prospects for maximum awareness, consideration, and conversion?

I’m John E. Bredehoft. For over 30 years, I’ve created strategy and tactics to market technical products for over 20 B2B/B2G companies and consulting clients.

Identity & Biometrics: Face, finger, iris, multi-factor authentication, and identity verification.
Security: Access control, cybersecurity, and third-party risk management.
Data & AI: Content management, digital asset management, generative AI, and machine learning.
Strategy, go-to-market, and sales enablement for dozens of products, including Printrak BIS (see the https://www.homelandsecuritynewswire .com/motorola-asserts-itself-biometrics-market url), MorphoBIS Cloud, MorphoWay (see the https://www.biometricupdate.com/201504/connectid-expo-morphotrak-demonstration-of-morphoway URL), Morpho Video Investigator, RapidHIT ID, Incode Omni, and confidential fingerprint / face / iris products.

But my past isn’t as important as your present challenges. Let’s talk about your specific needs and how I would approach solving them.

Consulting: Bredemarket at https://bredemarket.com/mark/

Employment: LinkedIn at https://linkedin.com/in/jbredehoft/

View this post on Instagram

A post shared by John Bredehoft (Bredemarket) (@bredemarket)

Technology product marketing expert.

Revisiting Amazon One

Because my local Amazon Fresh post is taking off, it’s a good time to revisit the “one” thing Uplanders will encounter when they get there.

I’ve talked about Amazon One palm/vein biometrics several times in the past.

The August 2021 post about Amazon paying $10 for your biometrics, long before World (Worldcoin) did something similar. Hmm…wonder if the $10 deal is still on?
Later that month, I talked about some Senators who had some questions.
More recently (a month ago) I mentioned Amazon One’s internal accuracy claims, which are (literally) incredible.

Meanwhile, Amazon One is available at over 400 U.S. locations, with more on the way.

And it’s also available (or soon will be) on TP-Link door locks. But the How-To Geek writer is confused:

“TP-Link says that these palm vein patterns are so unique that they can even tell the difference between identical twins, making them safer than regular fingerprint or facial recognition methods.”

Um…fingerprints? Must be a Columbia University grad.

And the TP-Link page for the product has no sales restrictions. Even Illinois residents can buy it. Presumably there’s an ironclad consent agreement with every enrollment to prevent BIPA lawsuits.

(Picture from Imagen 3)