access control – Page 2

BigBear.ai’s Digital Identity Products

One of my more popular posts during the past year (October 2023 to September 2024) was one that I wrote way back in 2021, “Pangiam, CLEAR, and others make a “sporting” effort to deny (or allow) stadium access.”

A lot has happened since then. (The aquisition of Pangiam by BigBear.ai closed in March of this year.)

From https://bigbear.ai/solutions/#digital-identity.

Here is how BigBear.ai describes its digital identity offerings in 2024:

Pangiam is BigBear.ai’s digital identity brand, harnessing facial recognition, image-based anomaly detection and advanced biometrics with computer vision and predictive analytics.
Trueface Performs one of the fastest one-to-many (1:N) facial matches with real-time photos, delivering safe and efficient identity verification.
veriScan™ Securely captures and transmits real-time photos into a biometric matching service supporting access control and biometric boarding/bag tags.
Dartmouth Delivers real-time image-based anomaly detection for enhanced 3D baggage screening.

All these products, including Dartmouth, were developed before the BigBear.ai acquisition. (Where is Pangiam Bridge?)

We’ll have to wait and see what happens next.

On Attribute-Based Access Control

In this post I’m going to delve more into attribute-based access control (ABAC), comparing it to role-based access control (RBAC, or what Printrak BIS used), and directing you to a separate source that examines ABAC’s implementation.

(Delve. Yes, I said it. I told you I was temperamental. I may say more about the “d” word in a subsequent post.)

But first I’m going to back up a bit.

Role-based access control

As I noted in a LinkedIn post yesterday:

Back when I managed the Omnitrak and Printrak BIS products (now part of IDEMIA‘s MBIS), the cool kids used role-based access control.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=6907222.

My product management responsibilities included the data and application tours, so user permissions fell upon me. Printrak BIS included hundreds of specific permissions that governed its use by latent, tenprint, IT, and other staff. But when a government law enforcement agency onboarded a new employee, it would take forever to assign the hundreds of necessary permissions to the new hire.

By Love Makes A Way – https://www.flickr.com/photos/lovemakesaway/15802177909/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=101171928.

Enter roles, as a part of role-based access control (RBAC).

If we know, for example, that the person is a latent trainee, we can assign the necessary permissions to a “latent trainee” role.

The latent trainee would have permission to view records and perform primary latent verification.
The latent trainee would NOT have permission to delete records or perform secondary latent verification.

As the trainee advanced, their role could change from “latent trainee” to “latent examiner” and perhaps to “latent supervisor” some day. One simple change, and all the proper permissions are assigned.

But what of the tenprint examiner who expresses a desire to do latent work? That person can have two roles: “tenprint examiner” and “latent trainee.”

Role-based access control certainly eased the management process for Printrak BIS’ government customers.

But something new was brewing…

Attribute-based access control

As I noted in my LinkedIn post, the National Institute of Standards and Technology released guidance in 2014 (since revised). The document is NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, and is available at https://doi.org/10.6028/NIST.SP.800-162.

Figure 2 from https://doi.org/10.6028/NIST.SP.800-162.

Compared to role-based access control, attribute-based access control is a teeny bit more granular.

Attributes are characteristics of the subject, object, or environment conditions. Attributes contain information given by a name-value pair.

A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes. For the purpose of this document, assume that subject and user are synonymous.

An object is a system resource for which access is managed by the ABAC system, such as devices, files, records, tables, processes, programs, networks, or domains containing or receiving information. It can be the resource or requested entity, as well as anything upon which an operation may be performed by a subject including data, applications, services, devices, and networks.

An operation is the execution of a function at the request of a subject upon an object. Operations include read, write, edit, delete, copy, execute, and modify.

Policy is the representation of rules or relationships that makes it possible to determine if a requested access should be allowed, given the values of the attributes of the subject, object, and possibly environment conditions.

So before you can even start to use ABAC, you need to define your subjects and objects and everything else.

Frontegg provides some excellent examples of how ABAC is used in practical terms. Here’s a government example:

For example, a military officer may access classified documents only if they possess the necessary clearance, are currently assigned to a relevant project, and are accessing the information from a secure location.

Madame Minna Craucher (*right*), a Finnish socialite and spy, with her chauffeur Boris Wolkowski (*left*) in 1930s. By Anonymous – Iso-Markku & Kähkönen: Valoa ja varjoa: 90 kuvaa Suomesta, s. 32. (Helsinki 2007.), Public Domain, https://commons.wikimedia.org/w/index.php?curid=47587700.

While (in my completely biased opinion) Printrak BIS was the greatest automated fingerprint identification system of its era, it couldn’t do anything like THAT. A Printrak BIS user could have a “clearance” role, but Printrak BIS had no way of knowing whether a person is assigned to an appropriate project or case, and Printrak BIS’ location capabilities were rudimentary at best. (If I recall correctly, we had some capability to restrict operations to particular computer terminals.)

As you can see, ABAC goes far beyond whether a PERSON is allowed to do things. It recognizes that people may be allowed to do things, but only under certain circumstances.

Implementing attribute-based access control

As I noted, it takes a lot of front-end work to define an ABAC implementation. I’m not going to delve into that complexity, but Gabriel L. Manor did, touching upon topics such as:

Policy as Code
Unstructured vs. Structured Rules
Policy configuration using the Open Policy Administration Layer (OPAL)

You can read Manor’s thoughts here (“How to Implement Attribute-Based Access Control (ABAC) Authorization?“).

And there are probably ways to simplify some of this.

Scientific Literature about Biometric Applications in Education

I recently wrote a blog post that addressed educational identity.

It turns out I missed some things.

While searching for a post-COVID article that discussed the use of biometrics in education (to supplement my existing educational identity information), I found an entire scientific paper on the topic.

The paper, “Biometric applications in education,” was shared on the U.S. National Library of Medicine website.

From https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8318548/

Here’s an excerpt from the abstract:

Educational institutions are acquiring novel technologies to help make their processes more efficient and services more attractive for both students and faculty. Biometric technology is one such example that has been implemented in educational institutions with excellent results. In addition to identifying students, access control, and personal data management, it has critical applications to improve the academic domain’s teaching/learning processes. Identity management system, class attendance, e-evaluation, security, student motivations, and learning analytics are areas in which biometric technology is most heavily employed.
From https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8318548/

Hmm…I didn’t even think about class attendance. But a camera capturing faces that walk into the classroom or join the online webinar should do the trick.

You can read the full paper here.

Clearview AI and Ukraine: when a company pursues the interests of its home country

In the security world (biometrics, access control, cybersecurity, and other areas), there has been a lot of discussion about the national origins and/or ownership of various security products.

If a particular product originates in country X, then will the government of country X require the product to serve the national interests of country X?

You see the effects of this everywhere:

FOCI mitigation at U.S. subsidiaries of foreign countries.
Marketing materials that state that a particular product is the best “among Western vendors” (which may or may not explain why this is important – see the second caveat here for examples).
European Union regulations that serve to diminish American influence.
The policies of certain countries (China, Iran, North Korea, Russia) that serve to eliminate American influence entirely.

Clearview AI, Ukraine, and Russia

Clearview AI is a U.S. company, but its relationship with the U.S. government is, in Facebook terms, “complicated.”

From https://www.yourtango.com/201168184/facebook-relationship-status-what-does-its-complicated-mean

It’s complicated primarily because “the U.S. government” consists of a number of governments at the federal, state, and local level, and a number of agencies within these governments that sometimes work at cross-purposes with one another. Some U.S. government agencies love Clearview AI, while others hate it.

However, according to Reuters, the Ukrainian government can be counted in the list of governments that love Clearview AI.

Ukraine is receiving free access to Clearview AI’s powerful search engine for faces, letting authorities potentially vet people of interest at checkpoints, among other uses, added Lee Wolosky, an adviser to Clearview and former diplomat under U.S. presidents Barack Obama and Joe Biden.
From https://www.reuters.com/technology/exclusive-ukraine-has-started-using-clearview-ais-facial-recognition-during-war-2022-03-13/

But before you assume that Clearview is just helping anybody, Reuters also pointed this out.

Clearview said it had not offered the technology to Russia…
From https://www.reuters.com/technology/exclusive-ukraine-has-started-using-clearview-ais-facial-recognition-during-war-2022-03-13/

Here is an example of a company that is supporting certain foreign policies of the government in which it resides. Depending upon your own national origin, you may love this example, or you may hate this example.

Of course, even some who support U.S. actions in Ukraine may not support Clearview AI’s actions in Ukraine. But that’s another story.

What’s in a rename? (Or, what is an oosto?)

The naming, or renaming, of a company is an important step in a company’s journey. While one should rightly concentrate on mission statements and processes and the like, the first impression many people will have of a company is its name.

So it’s important to get it right.

How my company was named

Sometimes the naming of a company is a relatively simple affair. For example, the company name “Bredemarket” is a combination of the beginning of my last name, Bredehoft, with the word market (derived from marketing).

Certainly the name is open to confusion (not that I was planning on doing business in East Sussex), but the name does communicate what the company is about.

I guess I could have called the company Bredewrite, but Bredemarket has grown on me.

Sometimes the naming of a company gets a little more involved.

How my former employer was renamed

When Oberthur was merged with the Morpho portion of Safran, the combined company needed a name (Oberthur was ruled out). So the company adopted the name “OT-Morpho,” indicating the heritage of the two parts of the company.

However, OT-Morpho was never intended to be the permanent name of the company. Everyone knew that the company would be renamed at some point in the future.

A few months later, as part of a razzle dazzle event, the new name of the company was revealed to an in-person audience in France and to people watching remotely all over the world (including myself).

If you don’t want to watch the entire video, the new name was…IDEMIA.

Some thought went into this name, as the accompanying press release noted.

In a world directly impacted by the exponential growth of connected objects, the increasing globalisation of exchanges, the digitalisation of the economy and the consumerisation of technology, IDEMIA stands as the new leader in trusted identities placing “Augmented Identity” at the heart of its actions. As an expression of this innovative strategy, the group has been renamed IDEMIA in reference to powerful terms: Identity, Idea and the Latin word idem, reflecting its mission to guarantee everyone a safer world thanks to its expertise in trusted identities.

However, some people didn’t like the new name at the time, and there was a big ruckus about how to pronounce the name. But at least some thought went into the name, and potential customers at least made the connection between IDEMIA and identity, if not to the other influences.

IDEM means – The same, me too. No, IDEMIA didn’t want to position itself as a “me too” company, but as a company that asserted the identity of an individual. From http://acronymsandslang.com/definition/7720102/IDEM-meaning.html.

Some of IDEMIA’s corporate predecessors also had some stories behind their names.

My former employer MorphoTrak was the result of a merger between Tacoma-based Sagem Morpho and the Anaheim-based Biometric Business Unit of Motorola that was previously known as Printrak. In the same way that OT-Morpho represented the union of Oberthur and Morpho, MorphoTrak represented the union of Sagem Morpho and Printrak.
The Morpho in Sagem Morpho was an element of the name of the original French company that was founded in the 1980s, Morpho Systèmes. I don’t know exactly why the company was named Morpho, but the term can mean form or structure, or it can refer to a particular group of butterflies with distinct wing patterns.
And Printrak, a product name before it was a company name, was derived from the word fingerprint. (And presumably from the system that tracked the fingerprints.)

So even if you don’t like these names, at least some thought went behind them.

And then there are other cases.

How another company was renamed

Anyvision was a company that had been around for a while, specializing in using artificial intelligence and vision to provide security solutions. But recently the company decided to expand its focus.

[T]he company’s evolution and vision for the future…is shaped, in part, by a new collaboration with Carnegie Mellon University’s (CMU) CyLab Biometric Research Center. The CMU partnership will focus on early-stage research in object, body, and behavior recognition….
“Historically, the company has focused on security-related use cases for our watchlist alerting and touchless access control solutions….[W]e’re looking beyond the lens of security to include ways our solutions can positively impact an organization’s safety, productivity and customer experience.”

So with this expanded focus, Anyvision decided that its corporate name was too limiting. So the company announced that is was renaming itself.

The new name is…Oosto.

Now some of you may have noticed that the name “Oosto” does not convey the idea of object, body, or behavior recognition in English, Latin, Hebrew (Anyvision started in Israel), or any other known language. As far as I know. (And yes, I saw what The Names Dictionary says.)

So why Oosto? According to Chris Burt at Biometric Update:

The new name was chosen because it is short, easy to pronounce, and free from pre-existing associations….

Well, at least you don’t have to worry about how to say Oosto, unlike Eye DEM ee uh or Eye DEEM e uh or Ih dem EE uh or whatever.

And it’s short.

And it’s obviously extremely free from pre-existing associations.

Which unfortunately means that people have no idea what an “oosto” is.

But it will probably grow on us over time, just as people now use the word “IDEMIA” without a second thought.

Hopefully there isn’t a market in East Sussex named Oosto.

So who is Cubox?

Some people like to look at baseball statistics or movie reviews for fun.

Here at Bredemarket, we scan the latest one-to-many (identification) results from NIST’S Ongoing Face Recognition Vendor Test (FRVT).

Hey, SOMEBODY has to do it.

Dicing and slicing the FRVT tests

For those who have never looked at FRVT before, it does not merely report the accuracy results of searches against one database, but reports accuracy results for searches against eight different databases of different types and of different sizes (N).

Mugshot, Mugshot, N = 12000000
Mugshot, Mugshot, N = 1600000
Mugshot, Webcam, N = 1600000
Mugshot, Profile, N = 1600000
Visa, Border, N = 1600000
Visa, Kiosk, N = 1600000
Border, Border 10+YRS, N = 1600000
Mugshot, Mugshot 12+YRS, N = 3000000

This is actually good for the vendors who submit their biometric algorithms, because even if the algorithm performs poorly on one of the databases, it may perform wonderfully on one of the other seven. That’s how so many vendors can trumpet that their algorithm is the best. When you throw in other qualifiers such as “top five,” “best non-Chinese vendor,” and even “vastly improved,” you can see how dozens of vendors can issue “NIST says we’re the best” press releases.

Not that I knock the practice; after all, I myself have done this for years. But you need to know how to interpret these press releases, and what they’re really saying. Remember this when you read the vendor announcement toward the end of this post.

Anyway, I went to check the current results, which when you originally visit the page are sorted in the order of the fifth database, the Visa Border database. And this is what I saw this morning (October 27):

From https://pages.nist.gov/frvt/html/frvt1N.html on 10/27/2021.

For the most part, the top five for the Visa Border test contain the usual players. North Americans will be most familiar with IDEMIA and NEC, and Cloudwalk and Sensetime have been around for a while.

A new algorithm from a not-so-new provider

But I had never noticed Cubox in the NIST testing before. And the number attached to the Cubox algorithm, “000,” indicates that this is Cubox’s first submission.

And Cubox did exceptionally well, especially for a first submission.

As you can see by the superscripts attached to each numeric value, Cubox had the second most accurate algorithm for the Visa Border test, the most accurate algorithm for the Visa Kiosk test, and placed no lower than 12th in the six (of eight) tests in which it participated. Considering that 302 algorithms have been submitted over the years, that’s pretty remarkable for a first-time submission.

Well, as an ex-IDEMIA employee, my curious nature kicked in.

Who is Cubox?

I’ll start by telling you who Cubox is not. Specifically, Cubox is not CuBox the low-power computer.

The Cubox that submitted an algorithm to NIST is a South Korean firm with the website cubox.aero, self-described as “The Leading Provider in Biometrics” (aren’t they all?) with fingerprint and face solutions. Cubox competes in the access control and border control markets.

From http://www.cubox.aero/en_index.php#fproduct.

Cubox’s ten-year history and “overseas” page details its growth in its markets, and its solutions that it has provided in South Korea, Mongolia, and Vietnam.

And although Cubox hasn’t trumpeted its performance on its own website (at least in the English version; I don’t know about the Korean version), Cubox has publicized its accomplishment on a LinkedIn post.

From https://www.linkedin.com/posts/cuboxkr_nist-frvt-rank-activity-6856877642839339008-_Paf/

Why NIST tests aren’t important

But before you get excited about the NIST results from Cubox, Sensetime, or any of the algorithm providers, remember that the NIST test is just a test. NIST cautions people about this, I have cautioned people about this (see the fourth point in this post), and Mike French has also discussed this.

However, it is also important to remember that NIST does not test operational systems, but rather technology submitted as software development kits or SDKs. Sometimes these submissions are labeled as research (or just not labeled), but in reality it cannot be known if these algorithms are included in the product that an agency will ultimately receive when they purchase a biometric system. And even if they are “the same”, the operational architecture could produce different results with the same core algorithms optimized for use in a NIST study.

The very fact that test results vary between the NIST databases explicitly tells you that a number one ranking on one database does not mean that you’ll get a number one ranking on every database. And as French reminds us, when you take an operational algorithm in an operational system with a customer database, the results may be quite different.

Which is why French recommends that any government agency purchasing a biometric system should conduct its own test, with vendor operational systems (rather than test systems) loaded with the agency’s own data.

Incidentally, if your agency needs a forensic expert to help with a biometric procurement or implementation, check out the consulting services offered by French’s company, Applied Forensic Services.

And if you need help communicating the benefits of your biometric solution, check out the consulting services offered by my own company, Bredemarket. After all, I am a biometric content marketing expert.

Send me an email at john.bredehoft@bredemarket.com.
Or go to calendly.com/bredemarket to book a meeting with me.
Or go to bredemarket.com/contact/ to use my contact form.

What is an “antimicrobial” contact fingerprint reader? And what is it NOT?

(Part of the biometric product marketing expert series)

In the COVID and (soon) post-COVID area, people don’t want to touch things. That impacts how identity products are marketed, including biometric readers.

Why contactless biometrics are “better” than contact biometrics

In the biometric world, this reluctance to touch things has served to promote CONTACTLESS biometric technologies, such as facial recognition, other other technologies. The loser in this has been fingerprint-based technologies, as several facial and iris vendors have made the claim that face/iris biometrics are contactless, while fingerprint biometrics are NOT contactless.

Well, my friends at my former employer IDEMIA might take issue with that claim, since you literally do NOT touch the fingerprint reader in IDEMIA’s MorphoWave product. IDEMIA does not (to my knowledge) make any medical claims about MorphoWave, but the company does emphasize that its contactless fingerprint reader allows for fast capture of four-finger slaps.

To protect their premises, organizations need access control solutions that are efficient, fast, and convenient. A contactless fingerprint scanner provides an optimum answer high throughput workplaces. IDEMIA’s MorphoWave™ contactless fingerprint solution scans and verifies 4 fingerprints in less than 1 second, through a fully touchless hand wave gesture. Thanks to the simplicity of this gesture, the throughput can reach up to 50 people per minute.

An antimicrobial contact fingerprint reader?

But what if there were a CONTACT solution that allowed you to capture prints with a reduced fear of “bad things”?

That’s what Integrated Biometrics appears to be claiming.

Integrated Biometrics (IB), the world leader in mobile, FBI-certified biometric fingerprint scanners, and NBD Nanotechnologies (NBD Nano), the surface coating experts, today announced the inclusion of NBD’s RepelFlex MBED transparent coating on IB’s entire line of fingerprint scanners.

An ultra-thin, transparent coating, RepelFlex MBED is designed to provide outstanding antimicrobial, anti-scratch, and anti-stain protection to devices. Long-lasting and multi-functional, RepelFlex MBED is ideal for surfaces that must stand up to high throughput and harsh conditions without compromising accuracy.

So what exactly does “antimicrobial” mean?

A cluster of *Escherichia coli* bacteria magnified 10,000 times. By Photo by Eric Erbe, digital colorization by Christopher Pooley, both of USDA, ARS, EMU. – This image was released by the Agricultural Research Service, the research agency of the United States Department of Agriculture, with the ID K11077-1 (next)., Public Domain, https://commons.wikimedia.org/w/index.php?curid=958857

Let’s see how NBD Nano describes it.

Preventing the presence and growth of microbials on surfaces is becoming increasingly important. Antimicrobial performance is especially critical on surfaces that are accessible to the public in order to prevent the spread of stain and odor causing bacteria and microbes.

And if you drill further down in NBD Nano’s website, you find this information in a technical data sheet (PDF).

Antimicrobial Performance: Japanese Industrial Standard (JIS) Z 2801 – PASS*
*as tested by Microchem Laboratory, Round Rock, TX

Now since I’m not up to date on my Japanese Industrial Standards, I had to rely on the good folks at the aforementioned Microchem Laboratory to explain what the standard actually means.

The JIS Z 2801 method tests the ability of plastics, metals, ceramics and other antimicrobial surfaces to inhibit the growth of microorganisms or kill them. The procedure is very sensitive to antimicrobial activity and has a number of real world applications anywhere from the hospital/clinical environment to a household consumer company concerned with the ability of a material they have to allow bacterial growth.

The JIS Z 2801 method is the most commonly chosen test and has become the industry standard for antimicrobial hard surface performance in the United States.

It may be antimicrobial, but what about preventing the “C” word?

Now you may have noticed that Microchem Laboratory, NBD Nano, and Integrated Biometrics did not make any medical claims regarding their products. None of them, for example, used the “C” word in any of their materials.

There’s a very, very good reason for that.

If any of these product providers were to make specific MEDICAL claims, then any sales in the United States would come under the purview of the U.S. Food and Drug Administration.

This is something that temperature scanner manufacturers learned the hard way.

Digression: if fever scanners are fever scanners, does that mean they are fever scanners?

Remember “fever scanners”? Those devices that were (and in some cases still are) pointed at your forehead as you enter a building or another secure area? I won’t get into the issues with these devices (what happens when the scanner is placed next to a building’s front entrance on a hot day?), but I will look at some of the claims about those scanners.

About a year ago, John Honovich of IPVM began asking some uncomfortable questions about the marketing of those devices, especially after the FDA clarified what thermal imaging systems could and could not do.

When used correctly, thermal imaging systems generally have been shown to accurately measure someone’s surface skin temperature without being physically close to the person being evaluated….

Thermal imaging systems have not been shown to be accurate when used to take the temperature of multiple people at the same time. The accuracy of these systems depends on careful set-up and operation, as well as proper preparation of the person being evaluated….

Room temperature should be 68-76 °F (20-24 °C) and relative humidity 10-50 percent….

The person handling the system should make sure the person being evaluated…(h)as waited at least 15 minutes in the measurement room or 30 minutes after exercising, strenuous physical activity, bathing, or using hot or cold compresses on the face.

Let’s stop right there. For any of you who have undergone a temperature scan in the last year: how many of you have waited in a measurement room for at least 15 minutes BEFORE your temperature was taken?

Last summer I had a dentist appointment. My dentist is in Ontario, California, where the summers can get kind of hot. The protocol at this dentist’s office was to have you call the office from your car when you arrived in the parking lot, then wait for someone from the office to come outside and take your temperature before you could enter the building.

I was no dummy. I left my car and its air conditioner running while waiting for my temperature to be taken. Otherwise, who knows what my temperature reading would have been? (I also chose NOT to walk to the dentist’s office that day for the same reason.)

Back to John Honovich. He had read the FDA advice on the medical nature of thermal imaging systems, and then noted that some of the manufacturers of said systems were sort of getting around this by stating that their devices were not medical devices.

Even though the manufacturers still referred to them as “fever cameras.”

For example, one vendor (who has since changed its advertising) declared at the time that “thermal temperature-monitoring technology assists in reducing the spread of viral diseases,” even though that vendor’s device “is not a medical device and is not designed or intended for diagnosis, prevention, or treatment of any disease or condition.”

Fever scanners, testosterone supplements…and fingerprint readers

Yes, that language is similar to the language used by providers of natural supplements that, according to anecdotal evidence, work wonders. The FDA really polices this stuff.

So you really don’t want to make medical claims about ANY product unless you can back them up with the FDA. You can say that a particular product passed a particular antimicrobial standard…but you’d better not say anything else.

In fact, Integrated Biometrics only mentions the “antimicrobial” claim in passing, but spends some time discussing other benefits of the NBD Nano technology:

The inclusion of RepelFlex MBED coatings enable IB’s scanners to deliver an even higher level of performance. Surfaces are tougher and more difficult to scratch or stain, increasing their longevity while maintaining print quality even when regular cleaning is not possible due to conditions or times of heavy use.

So the treated Integrated Biometrics products are tough…like those famous 1970s crime fighters Kojak, Columbo, and Danno and the other people from Five-O. (Not that Sherlock and Watson were slouches.)