Tag Archives: authentication

Returning to Lattice Identity

The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

In essence, the lattice structure allows more elaborate access rights.

This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:

“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”

It then says

“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”

Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.

But it appears that we sometimes don’t care about the intent of AI agents.

“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”

This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).

As should we all.

If Your Phone Has IMEI 440015202000…

When I posted (two times) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.

Tell that to the people of Bangladesh.

In that country, the National Equipment Identity Register (NEIR) went live on January 1, and it uncovered some surprising findings.

Turns out that tens of millions of phones in Bangladesh share their IMEIs with other phones. A single example:

“According to data generated after NEIR went live on January 1, a single IMEI, 440015202000, was found to be linked to 1,949,088 devices nationwide.”

So will you now admit that an IMEI is not a reliable way to identify an individual phone?

Two Footballs, Two Biscuits, Two Presidents: A Cybersecurity Nightmare.

Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.

Google Gemini.

I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.

But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.

Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.

If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.

  • It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
  • And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.

And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?

Names Are Replaceable

(Patti Smith picture by Harald Krichel – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=151929930.)

My very first bad blog joke (back in October 2003) was tangentially related to knowledge-based authentication:

“When Patti Smith married Fred Smith, did she take her husband’s last name, or keep her maiden name?”

Because Patti didn’t change her name, but many people do.

Which means that even if a name is unique, it is not as accurate a form of identification as, say, irises.

If you don’t believe me, ask Richard Meyers and Thomas Joseph Miller.

Better known as Richard Hell and Tom Verlaine.

Patti Smith.

Which Department Handles Biometrics Use Case X in Country Y?

While Bredemarket only conducts business in the United States (with one exception), my clients have no such constraints.

Who are my client’s prospects?

Because of my extensive business-to-government (B2G) experience, I often work with clients that sell products and services to government agencies throughout the world. Well, except to North Korea and a few other places.

And as those clients (or their marketing and writing consultants) identify their public sector prospects, terminology becomes an issue.

And they have to answer questions such as “which government agency or agencies in Country Y potentially use biometric authentication for passengers approaching a gate in an airline terminal?”

Hint: chances are it’s NOT called the “department of transportation.”

Ministry

Add one factor that is foreign (literally) to this United States product marketing consultant.

Many of these countries have MINISTRIES.

No, not religious ministers or preachers.

Billy Graham. By Warren K. Leffler – This image is available from the United States Library of Congress’s Prints and Photographs divisionunder the digital ID ppmsc.03261.This tag does not indicate the copyright status of the attached work. A normal copyright tag is still required. See Commons:Licensing., Public Domain, https://commons.wikimedia.org/w/index.php?curid=905632.

When I say “Minister” here I refer to government officials, often from the country’s legislature, who manage a portfolio of agencies that are the responsibility of a Minister.

Sisa

Let’s take one ministry as an example: Sisäministeriö. Oops, Finland’s Ministry of the Interior. This one ministry is currently headed by Mari Rantanen of the Finns Party (part of a four-party coalition ruling Finland).

From https://kuvapankki.valtioneuvosto.fi/l/6XGsNcFkBjWV.

But Rantanen also has other responsibilities:

“Minister Rantanen is also responsible for matters related to integration covered by the Labour Migration and Integration Unit of the Ministry of Economic Affairs and Employment.”

Back to Interior. One huge clarification for U.S. people: other countries’ ministries of the interior bear no relation to the U.S. Department of the Interior, which concerns itself with parks and Native Americans and stuff. Minister Rantanen’s sphere of responsibility is quite different:

“Under the Government Rules of Procedure, the Ministry of the Interior is responsible for:

  • public order and security, police administration and the private security sector
  • general preconditions for migration and regulation of migration, with the exception of labour migration, as well as international protection and return migration 
  • Finnish citizenship
  • rescue services
  • emergency response centre operations
  • border security and maritime search and rescue services
  • national capabilities for civilian crisis management
  • joint preparedness of regional authorities for incidents and emergencies.”

These responsibilities result in this organization…whoops, organisation.

From https://intermin.fi/en/ministry/management-and-organisation.

There are five departments at the Ministry:

  • Police Department
  • Department for Rescue Services
  • Migration Department
  • Border Guard Department, which is the national headquarters for the Border Guard
  • Administration and Development Department

The units reporting directly to the Permanent Secretary are the International Affairs Unit and Communications Unit.

Directly under the Permanent Secretary are also guidance of Civilian Intelligence and the Finnish Security and Intelligence Service, 
Internal Audit and Advisory Staff to the Permanent Secretary

So, who’s gonna buy your biometric product or service in each of the 200 or so countries in which you may conduct business?

And for those who were waiting for it, here’s the song:

Nobot Policies Hurt Your Company and Your Product

If your security software enforces a “no bots” policy, you’re only hurting yourself.

Bad bots

Yes, there are some bots you want to keep out.

“Scrapers” that obtain your proprietary data without your consent.

“Ad clickers” from your competitors that drain your budgets.

And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).

Good bots

But there are some bots you want to welcome with open arms.

Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.

Buybots

And what about the buybots—those AI agents designed to make legitimate purchases? 

Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase. 

Do you want to keep legitimate buyers from buying just because they’re non-human identities?

(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)

Nobots 

According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”

Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.

Francesco Fabbrocino’s Five Rules of Fraud Prevention…and Bredemarket’s Caveat to Rule 2

Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)

The five rules

In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:

1. Nearly all fraud is based on impersonation.

2. Never expose your fraud prevention techniques.

3. Preventing fraud usually increases friction.

4. Fraud prevention is a business strategy.

5. Whatever you do, fraudsters will adapt to it.

All good points. But I want to dig into rule 2, which is valid…to a point.

Rule 2

If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.

In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.

But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.

Biometric time cards

One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.

Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.

The four-letter word

Unless you’re an employer in Illinois, or a biometric time clock vendor to employers in Illinois.

Illinois state flag. Public domain.

And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.

Because that’s a violation of BIPA, Illinois’ Biometric Information Privacy Act. And you can be liable for damages for violating it.

In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.

But if there’s no law to the contrary, obfuscate at will.

Communicating your anti-fraud solution

Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.

That’s where Bredemarket can help.

As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.

And I can help your firm also.

Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.

Stop losing prospects! Use Bredemarket content for tech marketers

More information:

Bredemarket: Services, Process, and Pricing.

Kalshi, Polymarket, DraftKings, FanDuel, and Gambling Legality

(Bredebot helped write small parts of this post.)

Is it only smartphone game app users who are inundated with an unrelenting barrage of Kalshi ads?

If nothing else, the barrage inspired me to research Designated Contract Markets (DCMs). A DCM is a status granted and regulated by the Commodity Futures Trading Commission (CFTC), a federal agency. As such, Kalshi argues that it is exempt from state gaming regulations because it’s not hosting gambling. It’s hosting futures trading.

Gemini.

But Kalshi and similar apps such as Polymarket are opposed by DraftKings, FanDuel, and other sports betting apps. They make no pretense of “trading futures,” but comply with state-level gambling regulations, and use geolocation to prohibit mobile sports betting in states such as California where it is illegal.

And both are opposed by Native American casinos governed by the Indian Gaming Regulatory Act (IGRA) of 1988, which allows sovereign tribal nations to host traditional Indian games.

And they are opposed by other card houses, racetracks, bingo games, and state sponsored lotteries.

And all are opposed by the traditional Las Vegas casinos…except when they themselves host mobile apps and strike licensing deals with Native American casinos.

But the mobile app variants not only deal with geolocation, but also digital identity verification and age verification. 

And employment verification or non-verification to ensure that football players aren’t betting on football games.

Gemini.

Plus authentication to open the app and ensure Little Jimmy doesn’t open it.

Gemini.

There are all sorts of gaming identity stories…and Bredemarket can help identity/biometric marketers tell them.

Stop losing prospects! Use Bredemarket content for tech marketers