Tag Archives: authentication

You Can’t Prove that an International Mobile Equipment Identity (IMEI) Number is Unique

I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)

When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

But I missed one thing in that discussion, so I wanted to revisit it.

Understanding IMEI Numbers

Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.

Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.

Let’s start off with the high level explanation.

IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.

Now some of you who are familiar with biometrics are saying, “Hold it right there.”

  • Have we ever PROVEN that fingerprints are unique?
  • And I’m not just talking about Columbia undergrads here.
  • Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?

But let’s stick to phones, Johnny.

Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.

This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.

What about IMEIs?

Are IMEIs unique?

I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.

  • Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
  • And even within the make and model, by definition no two phones can have the same serial number.

Why not? Because everyone says so.

It’s even part of the law.

Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.

IMEIs in India

To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:

So what?

A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:

The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….

A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.

IMEIs in Canada

“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”

O Canada?

A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.

“I didn’t have any doubt that it was real,” Boyd told Global News….

The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.

Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.

IMEIs in general

Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.

In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.

The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.

Again, NOTHING provides 100.00000% security. Not even an IMEI number.

What this means for IMEI uniqueness claims

So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.

Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”

But I wouldn’t discuss war plans on such a device.

(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)

Oh, and since I mentioned pocket calculators…excuse me, calcolatrici tascabili

Knowledge Ain’t Dead

Do you believe in intentional ignorance, stupidity, and idiocy?

Let me put it another way:

Do you believe in the “death of passwords”?

The rationale behind the decades-long death of passwords movement is that passwords do not provide 99.99999% security, therefore NO ONE should EVER EVER EVER use a password, or ANY other form of knowledge (PIN, first pet, what a traffic light looks like, college GPA, favorite RGB value).

I have a different view.

Knowledge CAN be part of a robust multi-factor identity verification or authentication solution.

Just like biometrics CAN be part of a robust multi-factor identity verification or authentication solution. Oh, you think biometrics should be the SOLE (geddit?) factor? I hate to break this to you, but biometrics do not provide 99.99999% security either.

And for the simpler use cases (such as garage sale money boxes), knowledge-based authentication such as a combination lock is a viable security system.

Don’t rely on passwords alone…

…but don’t completely ban them either. Knowledge ain’t dead.

Because advocating for the death of the password is as stupid as advocating for the death of the bicycle.

Make sure your bicycle has a wheel, spokes, seat, and drink holder, and don’t use any of the last six bicycles you previously used. By Havang(nl) – Public Domain, https://commons.wikimedia.org/w/index.php?curid=2327525

(Executioner image CC BY-SA 3.0)

Do All 5 Identity Factors Apply to Non-Human Identities?

I’ve talked ad nauseam about the five factors of identity verification and authentication. In case you’ve forgotten, these factors are:

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

I’ll leave “somewhat you why” out of the discussion for now, but perhaps I’ll bring it back later.

These five (or six) factors are traditionally used to identify people.

Identifying “Non-Person Entities”

But what happens when the entity you want to identify is not a person? I’ll give two examples:

Kwebbelkop AI? https://www.youtube.com/watch?v=3l4KCbTyXQ4.
  • Kwebbelkop AI, discussed in “Human Cloning Via Artificial Intelligence: It’s Starting,” is not a human. But is there a way to identify the “real” Kwebbelkop AI from a “fake” one?
  • In “On Attribute-Based Access Control,” I noted that NIST defined a subject as “a human user or NPE (Non-Person Entity), such as a device that issues access requests to perform operations on objects.” Again, there’s a need to determine that the NPE has the right attributes, and is not a fake, deep or shallow.

There’s clearly a need to identify non-person entities. If I work for IBM and have a computer issued by IBM, the internal network needs to know that this is my computer, and not the computer of a North Korean hacker.

But I was curious. Can the five (or six) factors identify non-person entities?

Let’s consider factor applicability, going from the easiest to the hardest.

The easy factors

  • Somewhere you are. Not only is this extremely applicable to non-person entities, but in truth this factor doesn’t identify persons, but non-person entities. Think about it: a standard geolocation application doesn’t identify where YOU are. It identities where YOUR SMARTPHONE is. Unless you have a chip implant, there is nothing on your body that can identify your location. So obviously “somewhere you are” applies to NPEs.
  • Something you have. Another no brainer. If a person has “something,” that something is by definition an NPE. So “something you have” applies to NPEs.
  • Something you do. NPEs can do things. My favorite example is Kraftwerk’s pocket calculator. You will recall that “by pressing down this special key it plays a little melody.” I actually had a Casio pocket calculator that did exactly that, playing a tune that is associated with Casio. Later, Brian Eno composed a startup sound for Windows 95. So “something you do” applies to NPEs. (Although I’m forced to admit that an illegal clone computer and operating system could reproduce the Eno sound.)
Something you do, 1980s version. Advance to 1:49 to hear the little melody. https://www.youtube.com/watch?v=6ozWOe9WEU8.
Something you do, 1990s version. https://www.youtube.com/watch?v=miZHa7ZC6Z0.

Those three were easy. Now it gets harder.

The hard factors

Something you know. This one is a conceptual challenge. What does an NPE “know”? For artificial intelligence creations such as Kwebbelkop AI, you can look at the training data used to create it and maintain it. For a German musician’s (or an Oregon college student’s) pocket calculator, you can look at the code used in the device, from the little melody itself to the action to take when the user enters a 1, a plus sign, and another 1. But is this knowledge? I lean toward saying yes—I can teach a bot my mother’s maiden name just as easily as I can teach myself my maiden name. But perhaps some would disagree.

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

That’s all five factors, right?

Well, let’s look at the sixth one.

Somewhat you why

You know that I like the “why” question, and some time ago I tried to apply it to identity.

  • Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
  • Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
  • Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

The first example is fundamental from an identity standpoint. It’s taken from real life, because I had never used any credit card in Atlantic City before. However, there was data that indicated that someone with my name (but not my REAL ID; they didn’t exist yet) flew to Atlantic City, so a reasonable person (or identity verification system) could conclude that I might want to eat while I was there.

But can you measure intent for an NPE?

  • Does Kwebbelkop AI have a reason to perform a particular activity?
  • Does my pocket calculator have a reason to tell me that 1 plus 1 equals 3?
  • Does my ceramic plate have a reason to stay intact when I drop it ten meters?

I’m not sure.

By Bundesarchiv, Bild 102-13018 / CC-BY-SA 3.0, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=5480820.

Positioning, Messaging, and Your Facial Recognition Product Marketing

(Part of the biometric product marketing expert series)

By Original: Jack Ver at Dutch Wikipedia Vector: Ponor – Own work based on: Plaatsvector.png by Jack Ver at Dutch Wikipedia, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=95477901.

When marketing your facial recognition product (or any product), you need to pay attention to your positioning and messaging. This includes developing the answers to why, how, and what questions. But your positioning and your resulting messaging are deeply influenced by the characteristics of your product.

If facial recognition is your only modality

There are hundreds of facial recognition products on the market that are used for identity verification, authentication, crime solving (but ONLY as an investigative lead), and other purposes.

Some of these solutions ONLY use face as a biometric modality. Others use additional biometric modalities.

From Sandeep Kumar, A. Sony, Rahul Hooda, Yashpal Singh, in Journal of Advances and Scholarly Researches in Allied Education | Multidisciplinary Academic Research, “Multimodal Biometric Authentication System for Automatic Certificate Generation.”

Your positioning depends upon whether your solution only uses face, or uses other factors such as voice.

Of course, if you initially only offer a face solution and then offer a second biometric, you’ll have to rewrite all your material. “You know how we said that face is great? Well, face and gait are even greater!”

If biometrics is your only factor

It’s no secret that I am NOT a fan of the “passwords are dead” movement.

Too many of the tombstones are labeled “12345.” By GreatBernard – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=116933238.

It seems that many of the people that are waiting the long-delayed death of the password think that biometrics is the magic solution that will completely replace passwords.

For this reason, your company might have decided to use biometrics as your sole factor of identity verification and authentication.

Or perhaps your company took a different approach, and believes that multiple factors—perhaps all five factors—are required to truly verify and/or authenticate an individual. Use some combination of biometrics, secure documents such as driver’s licenses, geolocation, “something you do” such as a particular swiping pattern, and even (horrors!) knowledge-based authentication such as passwords or PINs.

This naturally shapes your positioning and messaging.

  • The single factor companies will argue that their approach is very fast, very secure, and completely frictionless. (Sound familiar?) No need to drag out your passport or your key fob, or to turn off your VPN to accurately indicate your location. Biometrics does it all!
  • The multiple factor companies will argue that ANY single factor can be spoofed, but that it is much, much harder to spoof multiple factors at once. (Sound familiar?)

So position yourself however you need to position yourself. Again, be prepared to change if your single factor solution adopts a second factor.

A final thought

Every company has its own way of approaching a problem, and your company is no different. As you prepare to market your products, survey your product, your customers, and your prospects and choose the correct positioning (and messaging) for your own circumstances.

And if you need help with biometric positioning and messaging, feel free to contact the biometric product marketing expert, John E. Bredehoft. (Full-time employment opportunities via LinkedIn, consulting opportunities via Bredemarket.)

In the meantime, take care of yourself, and each other.

Jerry Springer. By Justin Hoch, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=16673259.

Defeating Synthetic Identity Fraud

I’ve talked about synthetic identity fraud a lot in the Bredemarket blog over the past several years. I’ll summarize a few examples in this post, talk about how to fight synthetic identity fraud, and wrap up by suggesting how to get the word out about your anti-synthetic identity solution.

But first let’s look at a few examples of synthetic identity.

Synthetic identities pop up everywhere

As far back as December 2020, I discussed Kris’ Rides’ encounter with a synthetic employee from a company with a number of synthetic employees (many of who were young females).

More recently, I discussed attempts to create synthetic identities using gummy fingers and fake/fraudulent voices. The topic of deepfakes continues to be hot across all biometric modalities.

From https://www.candynation.com/gummy-fingers

I shared a video I created about synthetic identities and their use to create fraudulent financial identities.

From https://www.youtube.com/watch?v=oDrSBlDJVCk.

I even discussed Kelly Shepherd, the fake vegan mom created by HBO executive Casey Bloys to respond to HBO critics.

From https://twitter.com/KellySh33889356.

And that’s just some of what Bredemarket has written about synthetic identity. You can find the complete list of my synthetic identity posts here.

So what? You must fight!

It isn’t enough to talk about the fact that synthetic identities exist: sometimes for innocent reasons, sometimes for outright fraudulent reasons.

You need to communicate how to fight synthetic identities, especially if your firm offers an anti-fraud solution.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=607428.

Here are four ways to fight synthetic identities:

  1. Checking the purported identity against private databases, such as credit records.
  2. Checking the person’s driver’s license or other government document to ensure it’s real and not a fake.
  3. Checking the purported identity against government databases, such as driver’s license databases. (What if the person presents a real driver’s license, but that license was subsequently revoked?)
  4. Perform a “who you are” biometric test against the purported identity.

If you conduct all four tests, then you have used multiple factors of authentication to confirm that the person is who they say they are. If the identity is synthetic, chances are the purported person will fail at least one of these tests.

Do you fight synthetic identity fraud?

If you fight synthetic identity fraud, you should let people know about your solution.

Perhaps you can use Bredemarket, the identity content marketing expertI work with you (and I have worked with others) to ensure that your content meets your awareness, consideration, and/or conversion goals.

How can I work with you to communicate your firm’s anti-synthetic identity message? For example, I can apply my identity/biometric blog expert knowledge to create an identity blog post for your firm. Blog posts provide an immediate business impact to your firm, and are easy to reshare and repurpose. For B2B needs, LinkedIn articles provide similar benefits.

If Bredemarket can help your firm convey your message about synthetic identity, let’s talk.

Drive content results with Bredemarket Identity Firm Services.

Authenticator Assurance Levels (AALs) and Digital Identity

(Part of the biometric product marketing expert series)

Back in December 2020, I dove into identity assurance levels (IALs) and digital identity, subsequently specifying the difference between identity assurance levels 2 and 3. These IALs are defined in section 4 of NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing Requirements.

It’s past time for me to move ahead to authenticator assurance levels (AALs).

Where are authenticator assurance levels defined?

Authenticator assurance levels are defined in section 4 of NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. As with IALs, the AALs progress to higher levels of assurance.

  • AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
  • AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
  • AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”

This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.

Which authenticator assurance level should you use?

NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.

The AAL CYOA from https://pages.nist.gov/800-63-3/sp800-63-3.html#63Sec6-Figure2.

One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).

So what?

Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?

Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?

  • Could the fraudster cause financial loss to a government agency?
  • Threaten personal safety?
  • Commit civil or criminal violations?
  • Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?

If some or all of these are true, then a high authenticator assurance level is VERY beneficial.

Worldcoin Publicly Exposes Its Security

One advantage of an open source project is that there are far fewer secrets to hide. If a commercial firm develops biometric products, it has a responsibility to its investors to not release sensitive information.

From https://worldcoin.org/blog/worldcoin/orb-faqs

Worldcoin has few limitations on sharing information because it is an open source project, so when governments in Argentina, Kenya, and elsewhere raised questions about what Worldcoin does with its citizens’ biometric data, Worldcoin could afford to conduct a security assessment…and publicly share the results.

Although findings…describe potential attack surfaces and are of high or medium severity, (Trail of Bits’) analysis did not uncover vulnerabilities in the Orb’s code…

From https://github.com/trailofbits/publications/blob/master/reviews/2023-08-worldcoin-orb-securityreview.pdf

Read Trail of Bits’ full report at https://github.com/trailofbits/publications/blob/master/reviews/2023-08-worldcoin-orb-securityreview.pdf. Note that Trail of Bits ONLY analyzed the software running on the Orb, NOT the back-end software.

Also see Biometric Update’s coverage. It notes that Trail of Bits also analyzed the security of Voatz’s voting software.

Why Knowledge-Based Authentication Fails at Authentication

In a recent project for a Bredemarket client, I researched how a particular group of organizations identified their online customers. Their authentication methods fell into two categories. One of these methods was much better than the other.

Multifactor authentication

Some of the organizations employed robust authentication procedures that included more than one of the five authentication factors—something you know, something you have, something you are, something you do, and/or somewhere you are.

From Krishamurty Pammi, https://krishnamurtypammi-technology.blogspot.com/p/security-management-two.html.

For example, an organization may require you to authenticate with biometric data, a government-issued identification document, and sometimes some additional textual or location data.

From IDmission, https://www.idmission.com/identity-solutions/identity-verification.

Knowledge-based authentication

Other organizations employed only one of the factors, something you know.

  • Not something as easy to crack as a password.
  • Instead they used the supposedly robust authentication method of “knowledge-based authentication,” or KBA.

The theory behind KBA is that if you ask multiple questions of a person based upon data from various authoritative databases, the chance of a fraudster knowing ALL of this data is minimal.

From Alloy, “Why knowledge-based authentication (KBA) is not effective,” https://www.alloy.com/blog/answering-my-own-authentication-questions-prove-that-theyre-useless.

Steve Craig found out the hard way that KBA is not infallible.

The hotel loyalty hack

Steve Craig is the Founder and CEO of PEAK IDV, a company dedicated to educating individuals on identity verification and fraud prevention.

From PEAK IDV, https://www.peakidv.com/.

Sadly, Craig himself was recently a victim of fraud, and it took him several hours to resolve the issue.

I’m not going to repeat all of Craig’s story, which you can read in his LinkedIn post. But I do want to highlight one detail.

  • When the fraudster took over Craig’s travel-related account, the hotel used KBA to confirm that the fraudster truly was Steve Craig, specifically asking “when and where was your last hotel stay?”
  • Only one problem: the “last hotel stay” was one from the fraudster, NOT from Craig. The scammer fraudulently associated their hotel stay with Craig’s account.
  • This spurious “last hotel stay” allowed the fraudster to not only answer the “last hotel stay” question correctly, but also to take over Craig’s entire account, including all of Craig’s loyalty points.

And with that one piece of knowledge, Craig’s account was breached.

The “knowledge” used by knowledge based authentication

Craig isn’t the only one who can confirm that KBA by itself doesn’t work. I’ve already shared an image from an Alloy article demonstrating the failures of KBA, and there are many similar articles out there.

The biggest drawback of KBA is the assumption that ONLY the person can answer all the knowledge corrections correctly is false. All you have to do is participate in one of those never-ending Facebook memes that tell you something based on your birthday, or your favorite pet. Don’t do it.

Why do organizations use KBA?

So why do organizations continue to use KBA as their preferred authentication method? Fraud.com lists several attractive, um, factors:

  • Ease of implementation. It’s easier to implement KBA than it is to implement biometric authentication and/or ID card-based authentication.
  • Ease of use. It’s easier to click on answers to multiple choice questions than it is to capture an ID card, fingerprint, or face. (Especially if active liveness detection is used.)
  • Ease of remembrance. As many of us can testify, it’s hard to remember which password is associated with a particular website. With KBA, you merely have to answer a multiple choice quiz, using information that you already know (at least in theory).

Let me add one more:

  • Presumed protection of personally identifiable information (PII). Uploading your face, fingerprint, or driver’s license to a mysterious system seems scary. It APPEARS to be a lot safer to just answer some questions.

But in my view, the risks that someone else can get all this information (or create spurious information) and use it to access your account outweigh the benefits listed above. Even Fraud.com, which lists the advantages of KBA, warns about the risks and recommend coupling KBA with some other authentication method.

But KBA isn’t the only risky authentication factor out there

We already know that passwords can be hacked. And by now we should realize that KBA could be hacked.

But frankly, ANY single authentication can be hacked.

  • After Steve Craig resolved his fraud issue, he asked the hotel how it would prevent fraud in the future. The hotel responded that it would use caller ID on phone calls made to the hotel. Wrong answer.
  • While the biometric vendors are improving their algorithms to detect deepfakes, no one can offer 100% assurance that even the best biometric algorithms can prevent all deepfake attempts. And people don’t even bother to use biometric algorithms if the people on the Zoom call LOOK real.
  • While the ID card analysis vendors (and the ID card manufacturers themselves) are constantly improving their ability to detect fraudulent documents, no one can offer 100% assurance that a presented driver’s license is truly a driver’s license.
  • Geolocation has been touted as a solution by some. But geolocation can be hacked also.

In my view, the best way to minimize (not eliminate) fraudulent authentication is to employ multiple factors. While someone could create a fake face, or a fake driver’s license, or a fake location, the chances of someone faking ALL these factors are much lower than the chances of someone faking a single factor.

You knew the pitch was coming, didn’t you?

If your company has a story to tell about how your authentication processes beat all others, I can help.

Drive content results with Bredemarket Identity Firm Services.

Announcing a WhatsApp Channel for Identity, Biometrics, ID Documents, and Geolocation

From NIST.

I’ve previously stated that Bredemarket is present on a bunch of social platforms.

Well, if you’re a subscriber to the Bredemarket mailing list, or to the Bredemarket Threads account, then you already know what I’m about to say. Bredemarket is now on one additional social platform…kinda sorta.

I’ll explain:

  • What WhatsApp channels are.
  • How this impacted me.
  • Most importantly, why this may, or may not, impact you.

(Long-time readers of the Bredemarket blog see what I did there. In reverse.)

What are WhatsApp channels?

Meta, the company that owns Facebook, Instagram, WhatsApp, Threads, and half the known universe, wants to keep people on those social platforms. They can check out any time they like, but they can never leave.

Scanned by Wikipedia user David Fell from the CD cover, Fair use, https://en.wikipedia.org/w/index.php?curid=14790284

So now WhatsApp, the service that was originally intended for PRIVATE communications between people that knew each other’s phone numbers, is now your latest source for Kardashians news. Seriously; there are millions of people who follow the Daily Mail’s “Kardashians News” channel.

No, this is NOT a Kardashian (yet), but this is something that @cultpopcult would post (with a misattribution) so I’m doing it myself. By Office of Congressman Greg Steube – https://twitter.com/RepGregSteube/status/1451579098606620673, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112088903

Some people are kinda sorta breathless about this, if you take the IMM Institute’s LinkedIn article “WhatsApp Channels: Revolutionising Business Communication” as evidence.

WhatsApp, a widely used messaging platform, has recently introduced a revolutionary feature known as WhatsApp Channels. This innovation empowers businesses to thrive by effectively communicating with a broader audience, sharing vital information, and engaging with customers in a more personalised and efficient manner.

From LinkedIn.

Revolutionary? Frankly, this isn’t any more revolutionary than the similar broadcasting feature in Instagram, with one important difference: not everyone can create an Instagram channel, but anyone with WhatsApp channel access can set up their own channel.

    Which got me thinking.

    How I was impacted by WhatsApp Channels

    I began mulling over whether I should create my own WhatsApp channel, but initially decided against it. Bredemarket has enough social media properties already, and the need to put Bredemarket stuff on WhatsApp is not pressing (the “100” WhatsApp group members get enough Bredemarket stuff already). The chances of someone ONLY being on WhatsApp and not on ANY other channel are slim.

    I’d just follow the existing WhatsApp channels on identity, biometrics, and related topics.

    But I couldn’t find any.

    So I created my own channel last Friday entitled “Identity, Biometrics, ID Documents, and Geolocation.”

    Why should you care?

    Why should you care about my WhatsApp identity channel? Maybe you SHOULDN’T.

    If you don’t use WhatsApp, ignore the WhatsApp channel.

    If you use WhatsApp but have other sources for identity industry information (such as my Facebook group/LinkedIn page), ignore the WhatsApp channel.

    But if you love WhatsApp AND identity, here is the follow link for “Identity, Biometrics, ID Documents, and Geolocation.”

    https://whatsapp.com/channel/0029VaARoeEKbYMQE9OVDG3a

    Converting Prospects For Your Firm’s “Something You Are” Solution

    As identity/biometric professionals well know, there are five authentication factors that you can use to gain access to a person’s account. (You can also use these factors for identity verification to establish the person’s account in the first place.)

    I described one of these factors, “something you are,” in a 2021 post on the five authentication factors.

    Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.

    From https://bredemarket.com/2021/03/02/the-five-authentication-factors/

    As I mentioned in August, there are a number of biometric modalities, including face, fingerprint, iris, hand geometry, palm print, signature, voice, gait, and many more.

    From Sandeep Kumar, A. Sony, Rahul Hooda, Yashpal Singh, in Journal of Advances and Scholarly Researches in Allied Education | Multidisciplinary Academic Research, “Multimodal Biometric Authentication System for Automatic Certificate Generation.”

    If your firm offers an identity solution that partially depends upon “something you are,” then you need to create content (blog, case study, social media, white paper, etc.) that converts prospects for your identity/biometric product/service and drives content results.

    Bredemarket can help.

    Click below for details.

    Drive Content Results with Bredemarket Identity Firm Services.