“As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).”
“[B]ecause we couldn’t determine why someone needed access, we built systems that tried to guess the answer for us….
“Roles were never about “least privilege.” Roles were our attempt to predict intent at scale. And like most predictions, especially in complex systems, they were right until they weren’t….
“Instead of front-loading permissions for every possible future scenario, we authorize the current scenario. Identity might still be the new perimeter — but intent is the new access key.”
On Tuesday I will write about a way to combat document signature fraud, but today I will focus on extremely obvious fraudulent activity.
You probably haven’t tried to alter your appearance before going through an airport security checkpoint, but it’s hard to pull off.
Um…no.
The most obvious preventive measure is that airport security uses multi factor authentication. Even if the woman in the video encountered a dumb Transportation Security Administration (TSA) expert who thought she truly was Richard Nixon, the driver’s license “Nixon” presented would fail a security check.
But not all fraud is this easy to detect. Not for job applicants, not for travelers.
That’s why more secure firms practice continuous authentication for high-risk transactions.
But continuous authentication can be intrusive.
How would you feel if you had to press your finger on a fingerprint reader every six seconds?
Grok.
Enough of that and you’ll start using the middle finger to authenticate.
Even face authentication is intrusive, if it’s 3 am and you don’t feel like being on camera.
Now I’ve already said that Amazon doesn’t want to over-authenticate everything.
Grok.
But Amazon does want to authenticate the critical transactions. Identity Week:
“Amazon treats authentication as a continuous process, not a one-time event. It starts with verifying who a user is at login, but risk is assessed throughout the entire session, watching for unusual behaviours or signals to ensure ongoing confidence in the user’s identity.”
That’s right: Amazon uses “somewhat you why” as an authentication factor.
In late 2019 and early 2020 I was working on a project promoting biometric entry at sports facilities and concert venues…until a teeny little worldwide pandemic shut down all the sport and concert venues.
Some of you may remember that a pivotal day during that period was March 11, 2020. Among many many other things, this was the day on which basketball fans awaited the start of a game.
“8 p.m. [ET; 7 p.m. local time]: In Oklahoma City, it was just another game day for Nerlens Noel and his Thunder teammates, who were warming up to play the visiting Utah Jazz.”
The day soon became abnormal after a meeting between NBA officials and the two coaches. Unbeknownst to the crowd, the officials and coaches were discussing a medical diagnosis of Rudy Gobert. (That’s another story.)
“8:31 p.m. [ET]: Teams were sent back to their locker rooms but the crowd at Chesapeake Energy Arena weren’t informed of the cancellation immediately. Instead, recording artist Frankie J, the intended halftime entertainment, put on his show, while officials decided how to break the news.”
Eight minutes later, the crowd was instructed to leave the arena.
Twenty minutes after that, the NBA suspended all games.
Imagen 4.
A little over a month later, on April 19, millions of people were huddled in their homes, glued to the opening episode of a TV series called The Last Dance…the only basketball any of us were going to get for a while. And of course, these games were on decades-long tape delay, and we already knew the outcome. (The Chicago Bulls won.)
And that was our basketball…until the suspended season resumed on July 30 under very bizarre circumstances.
Anyway, all of that was a very long time ago.
Imagen 4.
Games and concerts have been back in business since 2021, and identity verification and authentication of venue visitors with biometrics and other factors is becoming more popular every year.
Have you ever used the phrase “sort of unique”? Something is either unique or it isn’t. And International Mobile Equipment Identity (IMEI) numbers fail the uniquness test.
Claims that International Mobile Equipment Identity (IMEI) numbers are unique
Here’s what a few companies say about the IMEI number on each mobile phone. Emphasis mine.
Thales: “The IMEI (International Mobile Equipment Identity) number is a unique 15-digit serial number for identifying a device; every mobile phone in the world has one.”
Verizon: “An IMEI stands for International Mobile Equipment Identity. Think of it as your phone’s fingerprint — it’s a 15-digit number unique to each device.”
Blue Goat Cyber: “In today’s interconnected world, where our smartphones have become an indispensable part of our lives, it is essential to understand the concept of IMEI – the International Mobile Equipment Identity. This unique identifier plays a crucial role in various aspects of our mobile devices, from security to tracking and repairs.”
These and other descriptions of the IMEI prominently use the word “unique.” Not “sort of unique,” but “unique.”
Which means (for non-person entities, just like persons) that if someone can find a SINGLE reliable instance of more than one mobile phone having the same IMEI number, then the claim of uniqueness falls apart completely.
Examples of non-uniqueness of IMEI numbers on mobile phones
“In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
“The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning.”
So don’t claim an IMEI is unique when there is evidence to the contrary. As I said in my April post:
“NOTHING provides 100.00000% security. Not even an IMEI number.”
What does this mean for your identity product?
If you offer an identity product, educate your prospects and avoid unsupportable claims. While a few prospects may be swayed by “100%” claims, the smarter ones will appreciate more supportable statements, such as “Our facial recognition algorithm demonstrated a 0.0022 false non-match rate in the mugshot:mugshot NIST FRTE 1:1 laboratory testing.”
When you are truthful in educating your prospects, they will (apologizes in advance for using this overused word) trust you and become more inclined to buy from you.
If you need help in creating content (blog posts, case studies, white papers, proposals, and many more), work with Bredemarket to create the customer-focused content you need. Book a free meeting with me.
“A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.
“The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.”
Proper implementation and configuration is essential.
“Businesses are rapidly adopting biometric authentication marketing as it serves a dual purpose: enhancing security and providing a customized marketing experience.”
But does it pay? Yes.
“By integrating fingerprint recognition technology, a retail company optimized its app experience, leading to a 20% increase in online sales. In another case, a banking institution used facial recognition for secure and quick authentication, resulting in a customer service rating boost of 25%.”
There are ways other than biometrics to know who your prospects are, but knowledge based authentication (KBA) such as passwords has its weaknesses. With KBA you may not be interacting with your prospects, but with your prospect’s spouse or child.
JOE’S ALCOHOL EMPORIUM: Evelyn, what types of alcohol do you prefer?
EVELYN’S TEENAGE SON WHO KNOWS HER PASSWORD IS HIS BIRTHDATE: 200 proof, man! Let’s get wasted!
Bredemarket has created targeted, segmented content, including individualized content. Let me help you communicate with your individual prospects. Talk to me.
I’ve frequently talked about geolocation as a factor of authentication, and have also mentioned the privacy concerns that rise with the use of geolocation for identification.
But sometimes it’s not just an issue of privacy, but something more sinister.
Authentic Living Therapy is a counselor specializing in trauma, abuse, emotional abuse, anxiety, depression, self-harm, parenting, and relationship difficulties. The page recently shared an image post on Facebook with the title
“Tracking someone’s location isn’t always about care. Sometimes, it’s about control.”
If you are a tech marketer and want to share how your identity solution protects individual privacy, I can help you write the necessary content. Let’s meet. Before your competition shares ITS story and steals your prospects and revenue.
An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.
For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”
But how many factors are there?
Three factors of authentication
There are some people who argue that there are only really three authentication factors:
Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
Something you have, such as a driver’s license, passport, or hardware or software token.
Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.
Somewhat you why, or a measure of intent and reasonableness.
For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.
The person may deserve access if they are an employee and arrive at the location during working hours.
That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.
Or maybe just five factors of authentication
Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.
So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.
Bredemarket 