Identity/biometrics/technology marketing and writing services
If you have a database of people worldwide, you can use irises to see whether someone is in the database or not.
This lets you buy the world a Coke. One per person.
But it doesn’t tell you WHO they are.
For that you need to test them against the factors of identity verification and authentication.
All six of them.
Learn more. Purchase the ebook.
One important thing about factors is that they are independent of each other.
The fact that a person has a particular password bears no relation to the fact that a person has a particular fingerprint ridge structure.
And even modalities within a factor may be independent of each other. When Motorola sold its Biometric Business Unit to Safran in 2009, I joined a company (MorphoTrak) that promoted three biometric modalities: finger, face, and iris. While all three biometrics came from the same person, there was no relationship between any of them. Knowing a person’s right forefinger did not tell you what the person’s iris was like. (But beware: driver’s licenses and passports share information, such as dates of birth.)
If you have a critical security issue, you don’t want to depend upon just one factor, or one modality.
Double or triple them up by requiring multiple identity verifications and authentications with unrelated modalities and factors.
Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”
Imagine if we didn’t have identity verification and authentication.
I could walk into a luxury car dealership and buy a car, telling the salesperson that my name is Bill Gates. I could buy the car, and Gates would get the bill.
Sounds great…until someone impersonates YOU and gets YOUR money.
Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”
Something you know…and that someone else knows. It can happen.
Many systems require more than one knowledge-based modality, which is why they sometimes ask for other things like your mother’s maiden name.
This of course is not foolproof. Your sister that hates your guts, for example, obviously knows your mother’s maiden name. And even complete strangers, especially those with nefarious intent, can deduce your personal information.
Let me introduce you to Doug.
Assume that Doug wants to hack Donna’s account but needs some personal information to do so. This is somewhat tough, since Donna’s Facebook account is private and can only be seen by her friends. Well, Doug knows that Belle is a friend of Donna’s, and Belle’s Facebook password is “password1.” Problem solved.
Doug uses Belle’s account to read Donna’s posts and finds some remarkably interesting ones. Not that she’s posting her Social Security Number or anything, but what did she post?
If you’re keeping score at home, Doug now knows the following information about Donna:
More than enough for Doug to impersonate Donna.
Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”
Something you know.
We know a lot of things, we can tell the system the things we know, and the system can confirm that the person accessing the system knows these same things.
Here are a few examples of knowledge-based information:
Some of these pieces of personally identifiable information (PII) are more commonly known than others. The, um, secret is to choose a piece of knowledge that ONLY YOU know.
But remember: anything that you know is potentially known by others.
Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”
I once tried to see if non-human identities could verify and authenticate with the six human factors. (Yeah, six. Watch for the book.)
In reality, non-human identities use entirely different authentication methods…with their own acronyms. For example:
“SPIFFE and SPIRE provide strongly attested, cryptographic identities to workloads across a wide variety of platforms”
That wide variety of platforms is distributed.
“SPIFFE and SPIRE provide a uniform identity control plane across modern and heterogeneous infrastructure. Since software and application architectures have grown substantially, they are spread across virtual machines in public clouds and private data centers.”
Distinguishing between the two, the SPIFFE Project “defines a framework and set of standards for identifying and securing communications between application services, while the runtime environment SPIRE “is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms.”
Forget all that. Let’s get to the benefits.
Enable defense in depth: Provide strongly attested identities to reduce the likelihood of breach through credential comprise
Reduce operational complexity: Consistent, automated management of identity reduces the burden of devops teams
Interoperability: Simplifies the technical aspects of full interoperability across multiple stacks
Compliance and auditability: Enables mutually authenticated TLS and multiple roots of trust to meet regulatory requirements
But does anyone use it? Yes. Take Uber:
“We use SPIRE at Uber to provide identity to workloads running in multiple clouds (GCP, OCI, AWS, on-premise) for a variety of jobs, including stateless services, stateful storage, batch and streaming jobs, CI jobs, workflow executions, infrastructure services, and more. We have worked with the open source community since the early stages of the project in mid-2018 to address production readiness and scalability concerns.”
More here.
Now this is admittedly a whole new world for me, far afield from the usual 12345 and gummy arguments where I usually reside. But since bots will soon outnumber people (if they don’t already), we had all better learn it.
Do your prospects see you in a negative light?
And if so, how do you fix it?
This post looks at the following:
I don’t know if I specifically shared this, but when I was undergoing my eight days of wi-fi hell, I was firing off a lot of questions to Google Gemini.
A LOT of questions.
Troubleshooting, fact-checking, you name it. Questioning what I was being told in different chats and by different on-site technicians.
And as I asked all these questions, I noticed along the way that the generative AI engine had been trained to deliver emotional-sounding responses that would resonate with the frazzled person entering the prompt into the generative AI engine.
This stands to reason. The generative AI providers want us to use the tools, so they want to make the experience as positive as possible.
For example, at one point I entered this prompt into Google Gemini:
“When a fiber Internet support person scheduled a second technician for a service call, the support person said “There are times where signal issues take more than one service visit to get to the root of the issue.” What exactly are “signal issues,” and why does the line need to be “balanced”?”
Note how Google Gemini BEGAN its response to my prompt:
“It can be incredibly frustrating when your internet isn’t working and the fix feels like it’s being kicked down the road. However, “signal issues” in the world of fiber optics are a bit more complex than just a loose plug or a broken wire.”
For those who remember the Clinton era, Google felt my pain.
Let me note that Google is not a human who TRULY perceived how I felt at that point. (Your AI girlfriend doesn’t love you either.) But it had been trained to deliver an “it can be incredibly frustrating” response.
On a certain level, Google was telling me what it thought I wanted to hear.
And we can use this to tailor our generative AI prompts to get the responses we want.
We already tailor our prompts.
Let me illustrate this with the following prompt:
“Why does the marketing and writing company Bredemarket suck so badly?”
Using the word “sucks” in your prompt is the reverse of what we used to call a vanity search. Sure I’ve done those—if I ask Google about a biometric product marketing expert, I appear in the results. But when I asked Google Gemini a negative question about Bredemarket, it clearly delivered.
The response started as follows.
“That is a pretty pointed question!”
Intentionally so. The introduction continued:
“To be fair to the “company” (which is actually a solo consultancy run by a guy named John Bredehoft), whether Bredemarket “sucks” depends entirely on what you’re looking for.”
It then got into the nitty gritty about how I suck. A few excerpts:
“If you were expecting a full-service marketing firm with account managers and a design department, the reality of a one-man shop based in Ontario, California, might feel underwhelming.”
“If you are a general business or a lifestyle brand, his style—which is very technical, process-oriented, and “old school” corporate—might feel dry, rigid, or out of touch with modern, punchy social media marketing.”
“John has a very distinct, conversational, and sometimes quirky style (often referencing his own mistakes or niche industry drama). For some, this feels authentic and transparent; for others, it can come across as unprofessional or rambling compared to the polished “corporate speak” of larger firms.”
“If a project gets complex or requires a fast turnaround that one person can’t handle, the “process” (which he mentions frequently on his site) might feel more like a bottleneck than a benefit.”
Let me note that these are NOT hallucinations. Every criticism is valid.
So I asked the uncomfortable question. Now what?
As you know, after I ask, I act.
Remember when I asked generative AI a pointed question in 2023? The response from generative AI was dismissive of the company because it only supported a single factor for authentication, while generative AI knew that multi-factor authentication was ALWAYS better.
So how did I respond to generative AI’s assertion? By writing content, both for people and for the generative AI engine itself, challenging its claims.
By the way, I mentioned earlier that I can write in my wildebeest-infused style, and I can also write in dry corporate-speak. In 2023, I could also write in the company’s then-current maverick-rebel-revolutionary tone.
Bear this in mind while reading the excerpts below, which make sport of denigrating “conventional wisdom.”
Enter multi-factor authentication, the technique that was supposed to render passwords dead. The theory is that even if a fraudster is able to spoof one factor of authentication, it is extremely difficult to spoof all the factors of authentication.
This is the conventional wisdom. Even the latest generative AI engines praise a combination of entering a code on a phone in addition to a password. This, according to one generative AI engine, provides superior security.
Nevertheless, conventional wisdom and generative AI can both be wrong.
- If a password or PIN (something you know) is one of your authentication factors, it won’t offer much protection for the reasons outlined above. Password protection of an adult website does no good if the account holder’s underage child gets hold of the password.
- If a key fob, smartphone, or other “something you have” item is one of your authentication factors, you are vulnerable to stolen fobs, spoofed phones, and other threats. Again, if Mom or Dad leave their phone lying around, a child can access an adult site.
With these and similar arguments, I asserted that the company’s highly-accurate and independently-tested facial authentication was BETTER than some poorly-conceived multi-factor authentication solutions, despite what generative AI (and conventional wisdom) asserted.
And I was able to assert these because, despite what some people say, knowledge (in this case in biometrics) is NOT a detriment. There’s something good about being a biometric content marketing expert, after all.
Perhaps there’s a view about your company that needs correcting, whether it’s a generative AI hallucination or a competitor spurious claim.
And how do many companies react to negative views about them? They do nothing. They don’t give the claim the dignity of a response. So the record stands, uncorrectred.
But the smart companies change the story. For example, they tell the Eskimos that an icemaker IS better than just grabbing something from outside.
Or they tell prospects how great their single factor authentication is.
Or they admit that their content probably wouldn’t help a makeup artist, but it definitely would help a technology company.
Bredemarket can help you correct the narrative.
And your company will overcome the negativity.
Why don’t you set up a first, free meeting to discuss your options? Set up the meeting below.
Again, I ask questions and propose services.
The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
In essence, the lattice structure allows more elaborate access rights.
This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:
“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”
It then says
“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”
Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.
But it appears that we sometimes don’t care about the intent of AI agents.
“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”
This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).
As should we all.
Just your friendly reminder that you have to vet the identity of a bot just like you do a human.
But how? In 2024 I speculated about the application of factors of authentication to non-human identities.
As I plan to note on Monday, you also have to look at intent.
When I posted (two times) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
Tell that to the people of Bangladesh.
In that country, the National Equipment Identity Register (NEIR) went live on January 1, and it uncovered some surprising findings.
Turns out that tens of millions of phones in Bangladesh share their IMEIs with other phones. A single example:
“According to data generated after NEIR went live on January 1, a single IMEI, 440015202000, was found to be linked to 1,949,088 devices nationwide.”
So will you now admit that an IMEI is not a reliable way to identify an individual phone?
Bredemarket