authentication – Bredemarket

Nobot Policies Hurt Your Company and Your Product

If your security software enforces a “no bots” policy, you’re only hurting yourself.

Bad bots

Yes, there are some bots you want to keep out.

“Scrapers” that obtain your proprietary data without your consent.

“Ad clickers” from your competitors that drain your budgets.

And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).

Good bots

But there are some bots you want to welcome with open arms.

Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.

Buybots

And what about the buybots—those AI agents designed to make legitimate purchases?

Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase.

Do you want to keep legitimate buyers from buying just because they’re non-human identities?

(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)

Nobots

According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”

Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.

Francesco Fabbrocino’s Five Rules of Fraud Prevention…and Bredemarket’s Caveat to Rule 2

Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)

The five rules

In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:

1. Nearly all fraud is based on impersonation.

2. Never expose your fraud prevention techniques.

3. Preventing fraud usually increases friction.

4. Fraud prevention is a business strategy.

5. Whatever you do, fraudsters will adapt to it.

All good points. But I want to dig into rule 2, which is valid…to a point.

Rule 2

If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.

In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.

But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.

Biometric time cards

One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.

Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.

The four-letter word

Unless you’re an employer in Illinois, or a biometric time clock vendor to employers in Illinois.

And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.

Because that’s a violation of BIPA, Illinois’ Biometric Information Privacy Act. And you can be liable for damages for violating it.

In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.

But if there’s no law to the contrary, obfuscate at will.

Communicating your anti-fraud solution

Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.

That’s where Bredemarket can help.

As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.

And I can help your firm also.

Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.

Stop losing prospects! Use Bredemarket content for tech marketers

More information:

Bredemarket: Services, Process, and Pricing.

Gambler Legality

Follow-up to this post.

View this post on Instagram

Kalshi, Polymarket, DraftKings, FanDuel, and Gambling Legality

(Bredebot helped write small parts of this post.)

Is it only smartphone game app users who are inundated with an unrelenting barrage of Kalshi ads?

If nothing else, the barrage inspired me to research Designated Contract Markets (DCMs). A DCM is a status granted and regulated by the Commodity Futures Trading Commission (CFTC), a federal agency. As such, Kalshi argues that it is exempt from state gaming regulations because it’s not hosting gambling. It’s hosting futures trading.

But Kalshi and similar apps such as Polymarket are opposed by DraftKings, FanDuel, and other sports betting apps. They make no pretense of “trading futures,” but comply with state-level gambling regulations, and use geolocation to prohibit mobile sports betting in states such as California where it is illegal.

And both are opposed by Native American casinos governed by the Indian Gaming Regulatory Act (IGRA) of 1988, which allows sovereign tribal nations to host traditional Indian games.

And they are opposed by other card houses, racetracks, bingo games, and state sponsored lotteries.

And all are opposed by the traditional Las Vegas casinos…except when they themselves host mobile apps and strike licensing deals with Native American casinos.

But the mobile app variants not only deal with geolocation, but also digital identity verification and age verification.

And employment verification or non-verification to ensure that football players aren’t betting on football games.

Plus authentication to open the app and ensure Little Jimmy doesn’t open it.

There are all sorts of gaming identity stories…and Bredemarket can help identity/biometric marketers tell them.

Stop losing prospects! Use Bredemarket content for tech marketers

Biscuit-based Identity Authentication and Authorization

Some of us authenticate ourselves to unlock our smartphones. Others authenticate to access confidential corporate information. A few authenticate to wield the power to annihilate the world.

The football and the biscuit

In the United States, the President (Commander-in-Chief) has a “biscuit.”

“The nuclear biscuit is a card with authentication codes that acts as the President’s personal key to unlocking America’s nuclear arsenal.

“The biscuit acts a lot like a two-factor authentication device or app. Its codes are updated regularly, and it works in connection with the nuclear football to verify the President’s identity. Without the biscuit, the President can’t order a nuclear strike, even if they have the football itself.”

Factors of authentication

Here are the three authentication factors that the biscuit reportedly uses.

“Something you have is quite an obvious one, you needed to have the actual Biscuit and the codes within.

“Something you know is when you opened the Biscuit. It had many codes printed on the cards and all were false apart from one. The President would have been told the position of the real code when he first took office. He would also be told each time the Biscuit was changed.

“For something you are, the phone line the President would need to contact has no number. It can only be contacted via a secure military phone. This phone would be handed to the President by one of his security team who would obviously not hand this phone to anyone but the President.”

Now you can argue that the phone line is not a TRUE something you are factor. A devious security team member could hand the phone to someone who SOUNDS like the President.

And there’s another complication.

Passing the football

Let’s say that a President is away from Washington. Say, at a school in Florida.

And all of a sudden attacks are launched in multiple U.S. cities.

What if an attack were launched in Florida, incapacitating the President, either temporarily of permanently?

In such an attack, the country and the world cannot afford to wait for hours for the football to be flown to wherever Richard Cheney is.

The solution? Two footballs (at least).

“Believing that the vice president should be a partner in national security policymaking, President Jimmy Carter assigned a football to Vice President Walter Mondale and this became the practice for future U.S. administrations.”

Outside the U.S. Russia has a similar system called the “Cheget,” and other nuclear countries presumably have similar procedures to authenticate the persons or persons authorized to launch nuclear weapons.

Your football and biscuit

If you are an identity vendor or customer, you may have your own authentication and authorization procedures. While a breach of your procedures won’t result in the annihilation of civilization, it could create its own damage.

Do you need help describing the security of your identity solution?

Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

What Is Your Intent?

The Grok version of the Bredemarket blog post at https://bredemarket.com/2025/12/10/access-and-somewhat-you-why/

Grok.

Access and “Somewhat You Why”

In case you missed it, I’ve been pushing a sixth factor of authentication called “Somewhat You Why.”

“As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).”

And now Identity Jedi Harvey Lee is also asking the “why” question, but specifically in terms of access control.

“[B]ecause we couldn’t determine why someone needed access, we built systems that tried to guess the answer for us….

“Roles were never about “least privilege.” Roles were our attempt to predict intent at scale. And like most predictions, especially in complex systems, they were right until they weren’t….

“Instead of front-loading permissions for every possible future scenario, we authorize the current scenario. Identity might still be the new perimeter — but intent is the new access key.”

Read “Intent Is the New Access Key.”

For example, if a dehydrated man wants to unlock a water tank, I have a pretty good idea of his intent.

When Fraud Is Too Obvious, the TSA Edition

On Tuesday I will write about a way to combat document signature fraud, but today I will focus on extremely obvious fraudulent activity.

You probably haven’t tried to alter your appearance before going through an airport security checkpoint, but it’s hard to pull off.

Um…no.

The most obvious preventive measure is that airport security uses multi factor authentication. Even if the woman in the video encountered a dumb Transportation Security Administration (TSA) expert who thought she truly was Richard Nixon, the driver’s license “Nixon” presented would fail a security check.

But not all fraud is this easy to detect. Not for job applicants, not for travelers.

Continuous Authentication HAS To Be Multi-Factor

If you authenticate a person at the beginning of a session and never authenticate them again, you have a huge security hole.

For example, you may authenticate an adult delivery person and then find a kid illegally making your delivery. 31,000 Brazilians already know how to do this.

By LukaszKatlewa – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=49248622.

That’s why more secure firms practice continuous authentication for high-risk transactions.

But continuous authentication can be intrusive.

How would you feel if you had to press your finger on a fingerprint reader every six seconds?

Grok.

Enough of that and you’ll start using the middle finger to authenticate.

Even face authentication is intrusive, if it’s 3 am and you don’t feel like being on camera.

Now I’ve already said that Amazon doesn’t want to over-authenticate everything.

Grok.

But Amazon does want to authenticate the critical transactions. Identity Week:

“Amazon treats authentication as a continuous process, not a one-time event. It starts with verifying who a user is at login, but risk is assessed throughout the entire session, watching for unusual behaviours or signals to ensure ongoing confidence in the user’s identity.”

That’s right: Amazon uses “somewhat you why” as an authentication factor.

I say they’re smart.

When the Games Stopped: March 11, 2020

In late 2019 and early 2020 I was working on a project promoting biometric entry at sports facilities and concert venues…until a teeny little worldwide pandemic shut down all the sport and concert venues.

Some of you may remember that a pivotal day during that period was March 11, 2020. Among many many other things, this was the day on which basketball fans awaited the start of a game.

“8 p.m. [ET; 7 p.m. local time]: In Oklahoma City, it was just another game day for Nerlens Noel and his Thunder teammates, who were warming up to play the visiting Utah Jazz.”

The day soon became abnormal after a meeting between NBA officials and the two coaches. Unbeknownst to the crowd, the officials and coaches were discussing a medical diagnosis of Rudy Gobert. (That’s another story.)

“8:31 p.m. [ET]: Teams were sent back to their locker rooms but the crowd at Chesapeake Energy Arena weren’t informed of the cancellation immediately. Instead, recording artist Frankie J, the intended halftime entertainment, put on his show, while officials decided how to break the news.”

Eight minutes later, the crowd was instructed to leave the arena.

Twenty minutes after that, the NBA suspended all games.

A little over a month later, on April 19, millions of people were huddled in their homes, glued to the opening episode of a TV series called The Last Dance…the only basketball any of us were going to get for a while. And of course, these games were on decades-long tape delay, and we already knew the outcome. (The Chicago Bulls won.)

And that was our basketball…until the suspended season resumed on July 30 under very bizarre circumstances.

Anyway, all of that was a very long time ago.

Games and concerts have been back in business since 2021, and identity verification and authentication of venue visitors with biometrics and other factors is becoming more popular every year.