Tag Archives: authentication

The Difference Between Identity Factors and Identity Modalities

(Part of the biometric product marketing expert series)

I know that I’m the guy who likes to say that it’s all semantics. After all, I’m the person who has referred to five-page long documents as “battlecards.”

But sometimes the semantics are critically important. Take the terms “factors” and “modalities.” On the surface they sound similar, but in practice there is an extremely important difference between factors of authentication and modalities of authentication. Let’s discuss.

What is a factor?

To answer the question “what is a factor,” let me steal from something I wrote back in 2021 called “The five authentication factors.”

Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.

Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.

Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.

Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.

Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

From https://bredemarket.com/2021/03/02/the-five-authentication-factors/

(By the way, if you search the series of tubes for reading material on authentication factors, you’ll find a lot of references to only three authentication factors, including references from some very respectable sources. Those sources are only 60% right, since they leave off the final two factors I listed above. It’s five factors of authentication, folks. Maybe.)

The one striking thing about the five factors is that while they can all be used to authenticate (and verify) identities, they are inherently different from one another. The ridges of my fingerprint bear no relation to my 16 character password, nor do they bear any relation to my driver’s license. These differences are critical, as we shall see.

What is a modality?

In identity usage, a modality refers to different variations of the same factor. This is most commonly used with the “something you are” (biometric) factor, but it doesn’t have to be.

Biometric modalities

The identity company Aware, which offers multiple biometric solutions, spent some time discussing several different biometric modalities.

[M]any businesses and individuals (are adopting) biometric authentication as it been established as the most secure authentication method surpassing passwords and pins. There are many modalities of biometric authentication to pick from, but which method is the best?  

From https://www.aware.com/blog-which-biometric-authentication-method-is-the-best/

After looking at fingerprints, faces, voices, and irises, Aware basically answered its “best” question by concluding “it depends.” Different modalities have their own strengths and weaknesses, depending upon the use case. (If you wear thick gloves as part of your daily work, forget about fingerprints.)

ID R&D goes a step further and argues that it’s best to use multimodal biometrics, in which the two biometrics are face and voice. (By an amazing coincidence, ID R&D offers face and voice solutions.)

And there are many other biometric modalities.

From Sandeep Kumar, A. Sony, Rahul Hooda, Yashpal Singh, in Journal of Advances and Scholarly Researches in Allied Education | Multidisciplinary Academic Research, “Multimodal Biometric Authentication System for Automatic Certificate Generation.”

Non-biometric modalities

But the word “modalities” is not reserved for biometrics alone. The scientific paper “Multimodal User Authentication in Smart Environments: Survey of User Attitudes,” just released in May, includes this image that lists various modalities. As you can see, two of the modalities are not like the others.

From Aloba, Aishat & Morrison-Smith, Sarah & Richlen, Aaliyah & Suarez, Kimberly & Chen, Yu-Peng & Ruiz, Jaime & Anthony, Lisa. (2023). Multimodal User Authentication in Smart Environments: Survey of User Attitudes. Creative Commons Attribution 4.0 International
  • The three modalities in the middle—face, voice, and fingerprint—are all clearly biometric “something you are” modalities.
  • But the modality on the left, “Make a body movement in front of the camera,” is not a biometric modality (despite its reference to the body), but is an example of “something you do.”
  • Passwords, of course, are “something you know.”

In fact, each authentication factor has multiple modalities.

  • For example, a few of the modalities associated with “something you have” include driver’s licenses, passports, hardware tokens, and even smartphones.

Why multifactor is (usually) more robust than multimodal

Modalities within a single authentication factor are more closely related than modalities within multiple authentication factors. As I mentioned above when talking about factors, there is no relationship between my fingerprint, my password, and my driver’s license. However, there is SOME relationship between my driver’s license and my passport, since the two share some common information such as my legal name and my date of birth.

What does this mean?

  • If I’ve fraudulently created a fake driver’s license in your name, I already have some of the information that I need to create a fake passport in your name.
  • If I’ve fraudulently created a fake iris, there’s a chance that I might already have some of the information that I need to create a fake face.
  • However, if I’ve bought your Coinbase password on the dark web, that doesn’t necessarily mean that I was able to also buy your passport information on the dark web (although it is possible).

Therefore, while multimodal authentication is better tha unimodal authentication, multifactor authentication is usually better still (unless, as Incode Technologies notes, one of the factors is really, really weak).

Can an identity content marketing expert help you navigate these issues?

As you can see, you need to be very careful when writing about modalities and factors.

You need a biometric content marketing expert who has worked with many of these modalities.

Actually, you need an identity content marketing expert who has worked with many of these factors.

So if you are with an identity company and need to write a blog post, LinkedIn article, white paper, or other piece of content that touches on multifactor and multimodal issues, why not engage with Bredemarket to help you out?

If you’re interested in receiving my help with your identity written content, contact me.

Kenya Concerns About Worldcoin Data: WHAT Data?

Biometric Update linked to an AFP article (via Africanews) that referenced a statement by the Ministry of the Interior Cabinet Secretary Kithure Kindiki, portions of which were quoted by Citizen Digital.

“Relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, the safety and protection of the data being harvested, and how the harvesters intend to use the data,” read part of the statement.

“Further, it will be critical that assurances of public safety and the integrity of the financial transactions involving such a large number of citizens be satisfactorily provided upfront.”

From https://www.citizen.digital/news/government-suspends-activities-of-worldcoin-citing-safety-concerns-n324708

The big brouhaha has occurred because Worldcoin is using a device called the Orb to collect images of people’s irises.

From https://worldcoin.org/blog/worldcoin/orb-faqs

And Worldcoin is also collecting…

well, nothing else.

And even the iris image data that Worldcoin DOES collect isn’t retained unless people request it.

Since no two people have the same iris pattern and these patterns are very hard to fake, the Orb can accurately tell you apart from everyone else without having to collect any other information about you — not even your name.

Importantly, the images of you and your iris pattern are permanently deleted as soon as you have signed up, unless you opt in to Data Custody to reduce the number of times you may need to go back to an Orb. Either way, the images are not connected to your Worldcoin tokens, transactions, or World ID.

From https://worldcoin.org/privacy

Ah, but Worldcoin does retain…an iris code. A lot of good THAT’S gonna do a scammer.

Your biometric data is first processed locally on the Orb and then permanently deleted. The only data that remains is your iris code. This iris code is a set of numbers generated by the Orb and is not linked to your wallet or any of your personal information. As a result, it really tells us — and everyone else — nothing about you. All it does is stop you from being able to sign up again.

Since you are not required to provide personal information like your name, email address, physical address or phone number, this means that you can easily sign up without us ever knowing anything about you.

From https://worldcoin.org/privacy

And no, you cannot reverse engineer an iris image from the iris code. In fact, you can’t reverse engineer any biometric image from its biometric template.

And even if you could reverse engineer an iris image, what are you going to do with it? You don’t know who owns it. It probably doesn’t belong to Bill Gates. It probably belongs to an impoverished Kenyan. (Good luck getting that person’s US$2.00. Which they probably already sold.)

Because—and here’s the thing that people forget about Worldcoin—”Worldcoin’s World ID emphasizes privacy so much that it does not conclusively prove a person’s identity (it only proves a person’s uniqueness).” (Link)

So how are governments and companies supposed to use Worldcoin?

Companies could pay Worldcoin to use its digital identity system, for example if a coffee shop wants to give everyone one free coffee, then Worldcoin’s technology could be used to ensure that people do not claim more than one coffee without the shop needing to gather personal data, Macieira said.

From https://www.reuters.com/technology/worldcoin-says-will-allow-companies-governments-use-its-id-system-2023-08-02/

Yup, that’s the use case. To allow 8 billion people to each claim one cup of coffee.

  • Not just the people who are members of the coffee company’s rewards club.
  • Not just the people who have purchased a certain amount of coffee.
  • Not just the people in the United States and Colombia.

Worldcoin can’t do those things, because even Worldcoin doesn’t know anything about its users.

Which means, by the way, that the World ID can’t be used in elections or national/state government welfare benefits distribution.

  • Sure it can be used to prove that someone hasn’t voted twice, or received benefits under two different names.
  • But it has no way of knowing whether the individual is qualified to vote or receive benefits. Maybe the person doesn’t live in the local jurisdiction. For voting, maybe the person lives there but is not a citizen. For benefits, maybe the person has too much income to qualify. Worldcoin doesn’t have a clue if any of these things are true.

So apparently the Kenyan authorities are worried that Worldcoin is gathering too much data.

I’m worried that Worldcoin is gathering not enough data for most practical use cases.

Well, unless you want to buy the world a Coke.

From https://www.youtube.com/watch?v=1VM2eLhvsSM

Five Topics a Biometric Content Marketing Expert Needs to Understand

As a child, did you sleep at night dreaming that someday you could become a biometric content marketing expert?

“Someday I will star in a video about a document reader!” By Carlos María Herrera – http://www.castells.com.uy/pn_ago06/41-60.htm, Public Domain, https://commons.wikimedia.org/w/index.php?curid=8132604

I didn’t either. Frankly, I didn’t even work in biometrics professionally until I was in my 30s.

If you have a mad adult desire to become a biometric content marketing expert, here are five topics that I (a self-styled biometric content marketing expert) think you need to understand.

Topic One: Biometrics

Sorry to be Captain Obvious, but if you’re going to talk about biometrics you need to know what you’re talking about.

The days in which an expert could confine themselves to a single biometric modality are long past. Why? Because once you declare yourself an iris expert, someone is bound to ask, “How does iris recognition compare to facial recognition?”

Only some of the Biometrics Institute’s types of biometrics. Full list at https://www.biometricsinstitute.org/what-is-biometrics/types-of-biometrics/

And there are a number of biometric modalities. In addition to face and iris, the Biometrics Institute has cataloged a list of other biometric modalities, including fingerprints/palmprints, voice, DNA, vein, finger/hand geometry, and some more esoteric ones such as gait, keystrokes, and odor. (I wouldn’t want to manage the NIST independent testing for odor.)

As far as I’m concerned, the point isn’t to select the best biometric and ignore all the others. I’m a huge fan of multimodal biometrics, in which a person’s identity is verified or authenticated by multiple biometric types. It’s harder to spoof multiple biometrics than it is to spoof a single one. And even if you spoof two of them, what if the system checks for odor and you haven’t spoofed that one yet?

Topic Two: All the other factors

In the same way that I don’t care for people who select one biometric and ignore the others, I don’t care for some in the “passwords are dead” crowd who go further and say, “Passwords are dead. Use biometrics instead.”

Although I admire the rhyming nature of the phrase.

If you want a robust identity system, you need to use multiple factors in identity verification and authentication.

  • Something you know.
  • Something you have.
  • Something you are (i.e. biometrics).
  • Something you do.
  • Somewhere you are.

Again, use of multiple factors protects against spoofing. Maybe someone can create a gummy fingerprint, but can they also create a fake passport AND spoof the city in which you are physically located?

From https://www.youtube.com/shorts/mqfHAc227As

Don’t assume that biometrics answers all the ills of the world. You need other factors.

And if you master these factors, you are not only a biometric content marketing expert, but also an identity content marketing expert.

Topic Three: How biometrics are used

It’s not enough to understand the technical ins and outs of biometric capture, matching, and review. You need to know how biometrics are used.

  • One-to-one vs. one-to-many. Is the biometric that you acquire only compared to a single biometric samples, or to a database of hundreds, thousands, millions, or billions of other biometric samples?
  • Markets. When I started in biometrics, I only participated in two markets: law enforcement (catch bad people) and benefits (get benefit payments to the right people). There are many other markets. Just recently I have written about financial identity and educational identity. I’ve worked with about a dozen other markets personally, and there are many more.
  • Use cases. Related to markets, you need to understand the use cases that biometrics can address. Taking the benefits example, there’s a use case in which a person enrolls for benefits, and the government agency wants to make sure that the person isn’t already enrolled under another name. And there’s a use cases when benefits are paid to make sure that the authorized recipient receives their benefits, and no one else receives their benefits.
  • Legal and privacy issues. It is imperative that you understand the legal ramifications that affect your chosen biometric use case in your locality. For example, if your house has a doorbell camera that uses “familiar face detection” to identify the faces of people that come to your door, and the people that come to your door are residents of the state of Illinois, you have a BIG BIPA (Biometric Information Privacy Act) problem.

Any identity content marketing expert or biometric content marketing expert worth their salt will understand these and related issues.

Topic Four: Content marketing

This is another Captain Obvious point. If you want to present yourself as a biometric contet marketing expert or identity content marketing expert, you have to have a feel for content marketing.

Here’s how HubSpot defines content marketing:

The definition of content marketing is simple: It’s the process of publishing written and visual material online with the purpose of attracting more leads to your business. These can include blog posts, pages, ebooks, infographics, videos, and more.

From https://blog.hubspot.com/marketing/content-marketing

Here are all the types of content in which one content marketer claims proficiency (as of July 27, 2023, subject to change):

Articles • Battlecards (80+) • Blog Posts (400+) • Briefs/Data/Literature Sheets • Case Studies (12+) • Competitive Analyses • Email Newsletters (200+) • Event/Conference/Trade Show Demonstration Scripts • FAQs • Plans • Playbooks • Presentations • Proposal Templates • Proposals (100+) • Quality Improvement Documents • Requirements • Scientific Book Chapters • Smartphone Application Content • Social Media (Facebook, Instagram, LinkedIn, Threads, TikTok, Twitter) • Strategic Analyses • Web Page Content • White Papers and E-Books

From https://www.linkedin.com/in/jbredehoft/, last updated 7/27/2023.

Now frankly, that list is pretty weak. You’ll notice that it doesn’t include Snapchat.

But content marketers need to be comfortable with creating at least one type of content.

Topic Five: How L-1 Identity Solutions came to be

Yes, an identity content marketing expert needs to thoroughly understand how L-1 Identity Solutions came to be.

I’m only half joking.

Back in the late 1990s and early 2000s (I’ll ignore FpVTE results for a moment), the fingerprint world in which I worked recognized four major vendors: Cogent, NEC, Printrak (later part of Motorola), and Sagem Morpho.

And then there were all these teeny tiny vendors that offered biometric and non-biometric solutions, including the fierce competitors Identix and Digital Biometrics, the fierce competitors Viisage and Visionics, and a bunch of other companies like Iridian.

Wel, there WERE all these teeny tiny vendors.

Until Bob LaPenta bought them all up and combined them into a single company, L-1 Identity Solutions. (LaPenta was one of the “Ls” in L-3, so he chose the name L-1 when he started his own company.)

So around 2008 the Big Four (including a post-FpVTE Motorola) became the Big Five, since L-1 Identity Solutions was now at the table with the big boys.

But then several things happened:

  • Motorola started selling off parts of itself. One of those parts, its Biometric Business Unit, was purchased by Safran (the company formed after Sagem and Snecma merged). This affected me because I, a Motorola employee, became an employee of MorphoTrak, the subsidiary formed when Sagem Morpho de facto acquired “Printrak” (Motorola’s Biometric Business Unit). So now the Big Five were the Big Four.
  • Make that the Big Three, because Safran also bought L-1 Identity Solutions, which became MorphoTrust. MorphoTrak and MorphoTrust were separate entities, and in fact competed against each other, so maybe we should say that the Big Four still existed.
  • Oh, and by the way, the independent company Cogent was acquired by 3M (although NEC considered buying it).
  • A few years later, 3M sold bits of itself (including the Cogent bit) to Gemalto.
  • Then in 2017, Advent International (which owned Oberthur) acquired bits of Safran (the “Morpho” part) and merged them with Oberthur to form IDEMIA. As a consequence of this, MorphoTrust de facto acquired MorphoTrak, ending the competition but requiring me to have two separate computers to access the still-separate MorphoTrust and MorphoTrak computer networks. (In passing, I have heard from two sources, but have not confirmed myself, that the possible sale of IDEMIA is on hold.)
  • And Gemalto was acquired by Thales.

So as of 2023, the Big Three (as characterized by Maxine Most and FindBiometrics) are IDEMIA, NEC, and Thales.

Why do I mention all this? Because all these mergers and acquisitions have resulted in identity practitioners working for a dizzying number of firms.

As of August 2023, I myself have worked for five identity firms, but in reality four of the five are the same firm because the original Printrak International kept on getting acquired (Motorola, Safran, IDEMIA).

And that’s nothing. One of my former Printrak coworkers (R.M.) has also worked for Digital Biometrics (now part of IDEMIA), Cross Match Technologies (now part of ASSA ABLOY), Iridian (now part of IDEMIA), Datastrip, Creative Information Technology, AGNITiO, iTouch Biometrics, NDI Recognition Systems, iProov, and a few other firms here and there.

The point is that everybody knows everybody because everybody has worked with (and against) everybody. And with all the job shifts, it’s a regular Peyton Place.

By ABC Television – eBay itemphoto frontphoto back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17252688

Not sure which one is me, which one is R.M., and who the other people are.

Do you need an identity content marketing expert today?

Do you need someone who not only knows biometrics and content marketing, but also all the other factors, their uses, and even knows the tangled history of L-1?

Someone who offers:

  • No identity learning curve?
  • No content learning curve?
  • Proven results?

If I can help you create your identity content, contact me.

Educational Identity: Why and How Do Educational Institutions Verify Identities?

Chaffey High School, Ontario California.

Whether a student is attending a preschool, a graduate school, or something in between, the educational institution needs to know who is accessing their services. This post discusses the types of identity verification and authentication that educational institutions may employ.

Why do educational institutions need to verify and authenticate identities?

Whether little Johnny is taking his blanket to preschool, or Johnny’s mother is taking her research notes to the local university, educational institutions such as schools, colleges, and universities need to know who the attendees are. It doesn’t matter whether the institution has a physical campus, like Chaffey High School’s campus in the video above, or if the institution has a virtual campus in which people attend via their computers, tablets, or phones.

Access boils down to two questions:

  • Who is allowed within the educational institution?
  • Who is blocked from the educational institution?

Who is allowed within the educational institution?

Regardless of the type of institution, there are certain people who are allowed within the physical and/or virtual campus.

  • Students.
  • Instructors, including teachers, teaching assistants/aides, and professors.
  • Administrators.
  • Staff.
  • Parents of minor students (but see below).
  • Others.

All of these people are entitled to access to at least portions of the campus, with different people having access to different portions of the campus. (Students usually can’t enter the teacher’s lounge, and hardly anybody has full access to the computer system where grades are kept.)

Before anyone is granted campus privileges, they have to complete identity verification. This may be really rigorous, but in some cases it can’t be THAT rigorous (how many preschoolers have a government ID?). Often, it’s not rigorous at all (“Can you show me a water bill? Is this your kid? OK then.”).

Once an authorized individual’s identity is verified, they need to be authenticated when they try to enter the campus. This is a relatively new phenomenon, in response to security threats at schools. Again, this could be really rigorous. For example, when students at a University of Rhode Island dining hall want to purchase food from the cafeteria, many of then consent to have their fingerprints scanned.

From https://www.youtube.com/watch?v=JzMDF_LN_LU

Another rigorous example: people whose biometrics are captured when taking exams, to deter cheating.

But some authentiation is much less rigorous. In these cases, people merely show an ID (hopefully not a fake ID) to authenticate themselves, or a security guard says “I know Johnny.”

(Again, all this is new. Many years ago, I accompanied a former college classmate to a class at his new college, the College of Marin. If I had kept my mouth shut, the professor wouldn’t have known that an unauthenticated student was in his class.)

Who is blocked from the educational institution?

At the same time, there are people who are clearly NOT allowed within the physical and/or virtual campus. Some of these people can enter campus with special permission, while some are completely blocked.

  • Former students. Once a student graduates, their privileges are usually revoked, and they need special permission if they want to re-enter campus to visit teachers or friends. (Admittedly this isn’t rigorously enforced.)
  • Expelled students. Well, some former students have a harder time returning to campus. If you brought a gun on campus, it’s going to be much harder for you to re-enter.
  • Former instructors, administrators, and staff. Again, people who leave the employ of the institution may not be allowed back, and certain ones definitely won’t be allowed back.
  • Non-custodial parents of minor students. In some cases, a court order prohibits a natural parent from contact with their child. So the educational institutions are responsible for enforcing this court order and ensuring that the minor student leaves campus only with someone who is authorized to take the child.
  • Others.

So how do you keep these people off campus? There are two ways.

  • If they’re not on the allowlist, they can’t enter campus anyway. As part of the identity verification process for authorized individuals, there is a list of people who can enter the campus. By definition, the 8 billion-plus people who are not on that “allowlist” can’t get on campus without special permission.
  • Sometimes they can be put on a blocklist. Or maybe you want to KNOW that certain people can’t enter campus. The inverse of an allowlist, people who are granted access, is a blocklist, people who are prevented from getting access. (You may know “blocklist” by the older term “blacklist,” and “allowlist” by the older term “whitelist.” The Security Industry Association and the National Institute of Standards and Technology recommend updated terminology.)

There’s just one teeny tiny problem with blocklists. Sometimes they’re prohibited by law.

In some cases (but not in others), a person is required to give consent before they are enrolled in a biometric system. If you’re the ex-student who was expelled for brining a gun on campus, how motivated will you be to allow that educational institution to capture your biometrics to keep you off campus?

And yes, I realize that the expelled student’s biometrics were captured while they were a student, but once they were no longer a student, the institution would have on need to retain those biometrics. Unless they felt like it.

This situation becomes especially sticky for campuses that use video surveillance systems. Like Chaffey High School.

Sign: "To reduce property damage to our facilities, this campus has installed a video surveillance system."
Chaffey High School, Ontario, California.

Now the mere installation of a video surveillance system does not (usually) result in legally prohibited behavior. It just depends upon what is done with the video.

  • If the video is not integrated with a biometric facial recognition system, there may not be an issue.
  • If Chaffey High School has its own biometric facial recognition system, then a whole host of legal factors may come into play.
  • If Chaffey High School does not have a biometric facial recognition system, but it gives the video to a police agency or private entity that does have a biometric facial recognition system, then some legal factors may emerge.

Or may not. Some facial recognition bans allow police use, and if this is true then Chaffey can give the footage to the police to use for authorized purposes. But if the jurisdiction bans police use of facial recognition, then people on the video can only be recognized manually. And you know how I feel about that.

Writing About Educational Identity

As you can see, educational identity is not as clear-cut as financial identity, both because financial institutions are more highly regulated and because blocklists are more controversial in educational identity. Vladimir Putin may not be able to open a financial account at a U.S. bank, but I bet he’d be allowed to enroll in an online course at a U.S. community college.

So if you are an educational institution or an identity firm who serves educational institutions, people who write for you need to know all of these nuances.

You need to provide the right information to your customers, and write it in a way that will motivate your customers to take the action you want them to take.

Speaking of motivating customers, are you with an identity firm or educational institution and need someone to write your marketing text?

  • Someone with 29 years of identity/biometric marketing experience?
  • Someone who understands that technological, organizational, and legal issues surrounding the use of identity solutions?
  • Someone who will explain why your customers should care about these issues, and the benefits a compliant solution provides to them?

If I can help you create your educational identity content, we need to talk.

Iris Recognition, Apple, and Worldcoin

(Part of the biometric product marketing expert series)

Iris recognition continues to make the news. Let’s review what iris recognition is and its benefits (and drawbacks), why Apple made the news last month, and why Worldcoin is making the news this month.

What is iris recognition?

There are a number of biometric modalities that can identify individuals by “who they are” (one of the five factors of authentication). A few examples include fingerprints, faces, voices, and DNA. All of these modalities purport to uniquely (or nearly uniquely) identify an individual.

One other way to identify individuals is via the irises in their eyes. I’m not a doctor, but presumably the Cleveland Clinic employs medical professionals who are qualified to define what the iris is.

The iris is the colored part of your eye. Muscles in your iris control your pupil — the small black opening that lets light into your eye.

From https://my.clevelandclinic.org/health/body/22502-iris
From Cleveland Clinic. (Link)

And here’s what else the Cleveland Clinic says about irises.

The color of your iris is like your fingerprint. It’s unique to you, and nobody else in the world has the exact same colored eye.

From https://my.clevelandclinic.org/health/body/22502-iris

John Daugman and irises

But why use irises rather than, say, fingerprints and faces? The best person to answer this is John Daugman. (At this point several of you are intoning, “John Daugman.” With reason. He’s the inventor of iris recognition.)

From https://www.cl.cam.ac.uk/~jgd1000/

Here’s an excerpt from John Daugman’s 2004 paper on iris recognition:

(I)ris patterns become interesting as an alternative approach to reliable visual recognition of persons when imaging can be done at distances of less than a meter, and especially when there is a need to search very large databases without incurring any false matches despite a huge number of possibilities. Although small (11 mm) and sometimes problematic to image, the iris has the great mathematical advantage that its pattern variability among different persons is enormous.

Daugman, John, “How Iris Recognition Works.” IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY, VOL. 14, NO. 1, JANUARY 2004. Quoted from page 21. (PDF)

Or in non-scientific speak, one benefit of iris recognition is that you know it is accurate, even when submitting a pair of irises in a one-to-many search against a huge database. How huge? We’ll discuss later.

Brandon Mayfield and fingerprints

Remember that Daugman’s paper was released roughly two months before Brandon Mayfield was misidentified in a fingerprint comparison. (Everyone now intone “Brandon Mayfield.”)

From https://mayfieldlaw.weebly.com/about.html

If you want to know the details of that episode, the Department of Justice Office of the Inspector General issued a 330 page report (PDF) on it. If you don’t have time to read 330 pages, here’s Al Jazeera’s shorter version of Brandon Mayfield’s story.

While some of the issues associated with Mayfield’s misidentification had nothing to do with forensic science (Al Jazeera spends some time discussing bias, and Itiel Dror also looked at bias post-Mayfield), this still shows that fingerprints are remarkably similar and that it takes care to properly identify people.

Police agencies, witnesses, and faces

And of course there are recent examples of facial misidentifications (both by police agencies and witnesses), again not necessarily forensic science related, and again showing the similarity of faces from two different people.

Iris “data richness” and independent testing

Why are irises more accurate than fingerprints and faces? Here’s what one vendor, Iris ID, claims about irises vs. other modalities:

At the root of iris recognition’s accuracy is the data-richness of the iris itself. The IrisAccess system captures over 240 degrees of freedom or unique characteristics in formulating its algorithmic template. Fingerprints, facial recognition and hand geometry have far less detailed input in template construction.

Iris ID, “How It Compares.” (Link)

Enough about claims. What about real results? The IREX 10 test, independently administered by the U.S. National Institute of Standards and Technology, measures the identification (one-to-many) accuracy of submitted algorithms. At the time I am writing this, the ten most accurate algorithms provide false negative identification rates (FNIR) between 0.0022 ± 0.0004 and 0.0037 ± 0.0005 when two eyes are used. (Single eye accuracy is lower.) By the time you see this, the top ten algorithms may have changed, because the vendors are always improving.

IREX10 two-eye accuracy, top ten algorithms as of July 28, 2023. (Link)

While the IREX10 one-to-many tests are conducted against databases of less than a million records, it is estimated that iris one-to-many accuracy remains high even with databases of a billion people—something we will return to later in this post.

Iris drawbacks

OK, so if irises are so accurate, why aren’t we dumping our fingerprint readers and face readers and just using irises?

In short, because of the high friction in capturing irises. You can use high-resolution cameras to capture fingerprints and faces from far away, but as of now iris capture usually requires you to get very close to the capture device.

Iris image capture circa 2020 from the U.S. Federal Bureau of Investigation. (Link)

Which I guess is better than the old days when you had to put your eye right up against the capture device, but it’s still not as friendly (or intrusive) as face capture, which can be achieved as you’re walking down a passageway in an airport or sports stadium.

Irises and Apple Vision Pro

So how are irises being used today? You may or may not have hard last month’s hoopla about the Apple Vision Pro, which uses irises for one-to-one authetication.

From Apple, https://www.apple.com/apple-vision-pro/

I’m not going to spend a ton of time delving into this, because I just discussed Apple Vision Pro in June. In fact, I’m just going to quote from what I already said.

And when all of us heard about Vision Pro, one of the things that Apple shared about it was its verification technique. Not Touch ID or Face ID, but Optic ID. (I like naming consistency.)

From https://bredemarket.com/2023/06/12/vision-pro-not-revolutionary-biometrics-event/
From Apple, https://www.apple.com/105/media/us/apple-vision-pro/2023/7e268c13-eb22-493d-a860-f0637bacb569/anim/drawer-privacy-optic-id/large.mp4

In short, as you wear the headset (which by definition is right on your head, not far away), the headset captures your iris images and uses them to authenticate you.

It’s a one-to-one comparison, not the one-to-many comparison that I discussed earlier in this post, but it is used to uniquely identify an individual.

But iris recognition doesn’t have to be used for identification.

Irises and Worldcoin

“But wait a minute, John,” you’re saying. “If you’re not using irises to determine if a person is who they say they are, then why would anyone use irises?”

Enter Worldcoin, which I mentioned in passing in my early July age estimation post.

Over the past several years, I’ve analyzed a variety of identity firms. Earlier this year I took a look at Worldcoin….Worldcoin’s World ID emphasizes privacy so much that it does not conclusively prove a person’s identity (it only proves a person’s uniqueness)…

From https://bredemarket.com/2023/07/03/age-estimation/

That’s the only thing that I’ve said about Worldcoin, at least publicly. (I looked at Worldcoin privately earlier in 2023, but that report is not publicly accessible and even I don’t have it any more.)

Worldcoin’s July 24 announcement

I guess it’s time for me to revisit Worldcoin, since the company made a super-big splashy announcement on Monday, July 24.

From https://worldcoin.org/blog/announcements/worldcoin-project-launches

The Worldcoin Foundation today announced that Worldcoin, a project co-founded by Sam Altman, Alex Blania and Max Novendstern, is now live and in a production-grade state. 

The launch includes the release of the World ID SDK and plans to scale Orb operations to 35+ cities across 20+ countries around the world. In tandem, the Foundation’s subsidiary, World Assets Ltd., minted and released the Worldcoin token (WLD) to the millions of eligible people who participated in the beta; WLD is now transactable on the blockchain….

“In the age of AI, the need for proof of personhood is no longer a topic of serious debate; instead, the critical question is whether or not the proof of personhood solutions we have can be  privacy-first, decentralized and maximally inclusive,” said Worldcoin co-founder and Tools for Humanity CEO Alex Blania. “Through its unique technology, Worldcoin aims to provide anyone in the world, regardless of background, geography or income, access to the growing digital and global economy in a privacy preserving and decentralized way.”

From https://worldcoin.org/blog/announcements/worldcoin-project-launches

Worldcoin does NOT positively identify people…but it can still pay you

A very important note: Worldcoin’s purpose is not to determine identity (that a person is who they say they are). Worldcoin’s purpose is to determine uniqueness: namely, that a person (whoever they are) is unique among all the billions of people in the world. Once uniqueness is determined, the person can get money money money with an assurance that the same person won’t get money twice.

Recent WLD trading price, from https://coinmarketcap.com/currencies/worldcoin-org/

OK, so how are you going to determine the uniqueness of a person among all of the billions of people in the world?

Using the Orb to capture irises

As far as Worldcoin is concerned, irises are the best way to determine uniqueness, echoing what others have said.

Iris biometrics outperform other biometric modalities and already achieved false match rates beyond 1.2× ⁣10−141.2×10−14 (one false match in one trillion[9]) two decades ago[10]—even without recent advancements in AI. This is several orders of magnitude more accurate than the current state of the art in face recognition.

From https://worldcoin.org/blog/engineering/humanness-in-the-age-of-ai

So how is Worldcoin going to capture millions, and eventually billions, of iris pairs?

By using the Orb. (You may intone “the Orb” now.)

From https://worldcoin.org/blog/worldcoin/orb-faqs

To complete your Worldcoin registration, you need to find an Orb that will capture your irises and verify your uniqueness.

Now you probably won’t find an Orb at your nearby 7 Eleven; as I write this, there are only a little over 100 listed locations in the entire world where Orbs are deployed. I happen to live within 50 miles of Santa Monica, where an Orb was recently deployed (by appointment only, unavailable on weekends, and you know how I feel about driving on Southern California freeways on a weekday).

But now that you can get crypto for enrolling at an Orb, people are getting more excited about the process, and there will be wider adoption.

Whether this will make a difference in the world or just be a fad remains to be seen.

There Are Just Five Factors of Authentication. (I want the job.)

As some of you know, I’m seeking full-time employment after my former employer let me go in late May. As part of my job search, I was recently invited to a second interview for a company in my industry. Before that interview, I made an important decision about how I was going to present myself.

If you’ve read any of Bredemarket’s content, there are times when it takes a light tone, in which wildebeests roam the earth while engaging in marketing activities such as elaborating the benefits of crossing the stream.

By Danijel Mihajlovic – https://thenextcrossing.com/wildebeest-migration-kenya, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=96024366

Some of that DOES NOT fly in the corporate world. (For most companies, anyway.) If you analyze a wide selection of corporate blogs, you won’t see the word “nothingburger.” But you do here.

So as I prepared for this important job interview, I made sure that I was ready to discuss the five factors of authentication, and my deep experience as an identity content marketing expert with many of those factors.

The five factors of authentication, of course, are:

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

“But wait a minute,” some of you are saying. “Didn’t you just say that there is a sixth factor of authentication, ‘Somewhat you why?'”

For the purposes of this job interview, there isn’t! I confined myself to the five factors only during the discussion, using examples such as passwords, driver’s licenses, faces, actions, and smartphone geolocation information.

But in the end, my caution was of no avail. I DIDN’T make it to the next stage of interviews.

Maybe I SHOULD have mentioned “Somewhat you why” after all.

Bredemarket’s Name for the Sixth Factor of Authentication

Depending upon whom you ask, there are either three or five factors of authentication.

Unless you ask me.

I say that there are six.

Let me explain.

First I’ll discuss what factors of authentication are, then I’ll talk about the three factor and five factor school, then I’ll briefly review my thoughts on the sixth factor—now that I know what I’ll call it.

What are factors of authentication?

Before proceeding to factors of authentication, let’s review TechTarget’s definition of authentication.

Authentication is the process of determining whether someone or something is, in fact, who or what it says it is.

From https://www.techtarget.com/searchsecurity/definition/authentication

For purposes of this post I’m going to stay away from the “something” part and concentrate on the “someone” part.

By USA International Trade Administration – https://www.youtube.com/watch?v=GLKDFhCjaY4, Public Domain, https://commons.wikimedia.org/w/index.php?curid=67067635

For example, if Warren Buffett has a bank account, and I claim that I am Warren Buffett and am entitled to take money from that bank account, I must complete an authentication process to determine whether I am entitled to Warren Buffett’s money. (Spoiler alert: I’m not.)

So how do I authenticate? There are many different ways to authenticate, which can be grouped into several authentication factors. Here’s how Sumo Logic defines “authentication factor.”

An authentication factor is a special category of security credential that is used to verify the identity and authorization of a user attempting to gain access, send communications, or request data from a secured network, system or application….Each authentication factor represents a category of security controls of the same type. 

From https://www.sumologic.com/glossary/authentication-factor/

When considering authentication factors, the whole group/category/type definition is important. For example, while a certain system may require both a 12-character password and a 4-digit personal identification number (PIN), these are pretty much the same type of authentication. It’s just that the password is longer than the PIN. From a security perspective, you don’t gain a lot by requiring both a password and a PIN. You would gain more by choosing a type of authentication that is substantially different from passwords and PIN.

How many factors of authentication are there?

So how do we define the factors of authentication? Different people have different definitions.

Three factors of authentication

For the most part, I believe that everyone agrees on at least three factors of authentication. As I noted in a prior post on factors of authentication, NIST defines the following three factors:

Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

From https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication, cited in https://bredemarket.com/2022/03/19/remember-the-newer-factors-of-authentication/

Note that NIST’s three factors are very different from one another. Knowing something (such as a password or a PIN) differs from having something (such as a driver’s license) or being something (a fingerprint or a face).

But some people believe that there are more than three factors of authentication.

Five factors of authentication

Let’s add two factors to the definition trumpeted by NIST. People such as The Cybersecurity Man have included all five in their definition.

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

For more information, see my March 2021 post on the five factors of authentication.

But are there only five?

Six factors of authentication

In April 2022, I began wondering if there is a sixth authentication factor. While I struggled to put it into the “some xxx you xxx” format, I was able to encapsulate what this sixth factor was.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/
Why is this man smoking a cigarette outdoors? By Marek Slusarczyk, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=108924712

Over the months, I struggled through some examples of the “why” factor.

  • Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
  • Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
  • Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).

And the sixth factor of authentication is called…

You’ll recall that I wanted to cast this sixth authentication factor into the “some xxx you xxx” format.

So, as of today, here is the official Bredemarket list of the six factors of authentication:

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

(Drumroll…)

  • Somewhat you why.

Yes, the name of this factor stands out from the others like a sore thumb (probably a loop).

From NIST’s FpVTE documentation https://www.nist.gov/system/files/documents/2021/07/19/ir_7123b_fpvte.pdf

However, the performance of this factor stands out from the others. If we can develop algorithms that accurately measure the “why” reasonableness of something as a way to authenticate identity, then our authentication capabilities will become much more powerful.

Testing My Sixth Authentication Factor on One Real and Two Imagined Corporate Office Visits

This is the third post in a series on my proposed sixth factor of authentication.

Perhaps you’ve heard people say there are three factors of authentication, or four factors of authentication, or five factors of authentication.

But what if there are six?

I know what you’re thinking, punk. You’re thinking: did he define 6 factors of authentication, or only 5? (Repurposing Dirty Harry, whose sixth bullet must have 404’ed.)

By unknown – Screenshot from the DVD version of the 1971 film Dirty Harry, extracted from Harry’s infamous “do ya feel lucky” monologue, Fair use, https://en.wikipedia.org/w/index.php?curid=6867681

Introduction: what are factors of authentication, anyway?

Authentication is the process of determining whether a person is truly THE person who is associated with a particular account, such as a computer login or a bank account.

Five authentication factors

There are many ways in which you can authenticate yourself, but (as I previously noted before starting the “6fa” series) all of these methods fall into up to five general categories, or “factors.”

  1. Something you know.
  2. Something you have.
  3. Something you are.
  4. Something you do.
  5. Somewhere you are.

By the way, if you provide a password, a PIN, your mother’s maiden name, and the name of your favorite pet, that is not four authentication factors, but four instances of the same authentication factor (something you know). And this is not a recipe for robust security.

From https://www.nist.gov/news-events/news/2009/04/new-nist-guidelines-organization-wide-password-management

For another example of multiple uses of the same factor, see kao’s post in Life in Hex.

What if there is a sixth authentication factor?

In April 2022, while I was consulting for the identity industry but not employed by it, I proposed a sixth authentication factor.

I’d like to propose a sixth authentication factor.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/

Testing my theory

Two months later, I was employed in the identity industry, and therefore Bredemarket was pivoting away from identity consulting. But I was still musing about identity topics that had nothing to do with my employment, and decided to test my sixth authentication factor theory on a case in which a person, or possibly multiple persons, were boarding buses.

After I laid out the whole story, which involved capturing the times at which a person (or persons) boarded a bus, I wondered if there were really just five authentication factors after all.

Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”

From https://bredemarket.com/2022/07/24/testing-my-sixth-authentication-factor-on-omnitrans-bus-passes/

So I tried to think of a “why” action that couldn’t be classified as “something you do.” But I didn’t think that hard, because I was busy in my day job, and I didn’t really need 6fa in my non-identity consulting work.

Well, that changed. So I’m revisiting the 6fa issue again, and this time I’ve devised a new test in which I visit two buildings over the course of three months. Can the sixth authentication factor truly confirm or deny my identity?

Why am I visiting a corporate office?

For this test, I will examine three instances—one real, two imagined—in which I visited a corporate office associated with a well-known identity verification firm.

No, not THAT firm. By Arne Müseler / http://www.arne-mueseler.com, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=78985341

As I consider whether I should be authenticated to enter the facility in question, I will use my proposed “why?” factor to measure whether there is a reasonable intent for me to be present, which could determine whether I pass or fail authentication.

Visit number one, April 2023

This visit really happened. One day I presented myself at a corporate office to be authenticated for entry.

If we use my six factors of authentication, should I be allowed in?

Let’s start with the first five factors:

  • Something you know, have, and are. Without disclosing confidential information about the corporate office’s security procedures, I can simply say that I satisfied all three of these factors.
  • Something you do. It is a matter of public record that the corporation that controls this corporate office does not employ active liveness, but instead employs passive liveness. Therefore I can disclose that when visiting this corporate office, I didn’t have to shake my head in one hundred different directions to prove that I was a live person.
  • Somewhere you are. It sounds silly, but let’s ask the question anyway. If I want to physically enter a corporate office, am I at that corporate office? It is possible to detect that my phone is there (something you have), but does that necessarily mean that I am there (something you are)? To simplify things, let’s assert that I passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

Now let’s apply the sixth factor, why/intent/reasonableness. Was there a reason why I was standing outside the office door?

In this case, there was a reason why I was there. I was a member of the Marketing Department, and the entire Marketing Department was gathering for a week-long meeting at the corporate office. So my presence there was legitimate.

Authentication: PASSED.

Visit number two, June 2023

This visit never happened except in my imagination. But would would have occurred if I had presented myself at the corporate office this month?

Let’s start by going through the five authentication factors again.

  • Something you know, have, and are. Without disclosing confidential information, I can simply say that in this instance I would have failed at least one of the three authentication factors. Obviously not the “something you are” factor, since I was still the same person that I was two months previously, but I would have failed at least one of the other two.
  • Something you do. Again, no liveness testing, so “something you do” would not apply.
  • Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

So I’ve already failed one or two of the five authetication factors, but would I fail the sixth?

Yes, because there was no valid reason for me to enter the corporate office.

Why not?

Because by June 2023 I was no longer an employee, and therefore had no intent or reason to visit the corporate office. I didn’t work there, after all.

(And incidentally, this is why I would have failed one or two of the other authentication factors. Because I was no longer an employee, I no longer knew something and/or had something I needed to enter the office.)

Authentication: FAILED.

Visit number three, June 2023

This visit never happened either, except in my imagionation. Let’s assume all of the facts from visit number two, with one critical exception: I arrived at the corporate office carrying computer equipment.

So how does the authentication process unfold now?

  • Something you know, have, and are. The presence of computer equipment would not have changed these three authentication factors. I still would have passed the “something you are” factor and failed one or both of the other two. (In this instance, computer equipment does not count as “something you have.”)
  • Something you do. Again, no liveness testing, so “something you do” would not apply.
  • Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

Now let’s turn to the sixth authentication factor. No, I am not a current employee who is usually entitled to visit the corporate office, but my possession of computing equipment introduces a new variable into the why/intent/reasonableness factor.

Why? Because the computer equipment belonged to the company, and in this instance I would have been visiting the corporate office to return the computer equipment to the company.

Authentication: PASSED.

So I guess there IS a sixth authentication factor

And there you have it.

In visits number two and three, all of the standard five authentication factors provided identical results. In both instances:

  • I passed the something you are test.
  • I failed the something you know and/or the something you have test.
  • Something you do was never tested.
  • I passed the somewhere you are test.

But for visit number two authentication failed, while for visit number three authentication passed, solely on the basis of the sixth authentication factor. I had no valid reason to be at the corporate office…except to return the company’s equipment.

So the sixth authentication factor exists in theory, but it will take some work to make it a reality.

By en:User:Cburnett – This W3C-unspecified vector image was created with Inkscape ., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1496812

So now how do I make a ton of money by bringing this sixth authentication factor to market?

As I said over a year ago…

Maybe I should speak to a patent attorney.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/

Testing my sixth authentication factor on Omnitrans bus passes

I know that Bredemarket has pivoted away from full-time identity work in favor of part-time work with local businesses in Ontario, Eastvale, and other cities, but a recent local activity illustrated a possible identity issue that I’d like to explore here. So allow me this tangent; I’ll get back to my Ontario, California content marketing expert content later.

Identities and bus passes

Remember my trip to Eastvale yesterday? I had to use a bus to get there. And to do this, I bought a day pass.

Omnitrans Day Pass, July 23, 2022.

Now this is not the most robust proof of identity. As I recently noted in my JEBredCal blog (one of my other Google identities), it’s extremely easy for multiple people to use this day pass at different times during the day. Even the 7-day and 31-day passes, which must be signed and may be compared against an identity document, are not necessarily free from fraud.

However, this is not critical to Omnitrans, who would rather put up with a small amount of fraud than inconvenience its riders with multiple identity checks.

Identity proofing is more critical in some situations than it is in others.

From https://jebredcal.wordpress.com/2022/07/24/how-important-is-that-identity/.

Of course, if Omnitrans really wanted to, it could achieve the need for fraud prevention by using relatively frictionless forms of identity proofing. Rather than demaning to see a rider’s papers, Omnitrans could use passive methods to authenticate its riders. I won’t go into all the possible methods and their pros and cons here.

However, I would like to explore one possible identity proofing method to see if it would solve the Omnitrans pass use issue.

Returning to my sixth authentication factor

Can my self-proclaimed sixth factor of authentication provide a solution?

You’ll recall that many identity experts recognize five factors of authentication:

  • Something you know.
  • Something you are.
  • Something you have.
  • Something you do.
  • Somewhere you are.

Well, because I felt like it, I proclaimed a sixth factor of authentication.

  • Why?

I said, because I felt like it!

Whoops, “why?” is the sixth authentication factor. I still haven’t rendered it into the “somexxx you xxx” format yet.

Can Omnitrans use the “why?” factor to test the reasonableness that any particular trip is performed by the person who originally bought the pass?

Possibly.

Applying the “why?” question to bus boarding data

Assume the most challenging scenario, in which Omnitrans knows nothing about the person who purchases a 31-day pass. The person pays in cash and is wearing a face mask and sunglasses throughout the entire transaction. Therefore, the only identity information associated with the pass is the location where the pass was purchased, the date/time it was purchased, and some type of pass identification number. For this example, we’ll assume the pass number is 12345.

From https://community.webroot.com/tech-talk-7/world-password-day-movie-password-tier-list-351118

So Omnitrans really doesn’t know anything of importance about the holder of pass 12345…

…other than how it is used.

I’m making the assumption that Omnitrans logs information about every use of a pass. Since you don’t need to use your pass when you leave the bus, the only information available is when you board the bus.

So let’s look at some fake data.

Date and TimeBusLocation
Monday, July 25, 2022, 6:39 am87Euclid & Holt, Ontario
Monday, July 25, 2022, 6:35 pm87Amazon LGB3, Eastvale
Tuesday, July 26, 2022, 6:39 am87Euclid & Holt, Ontario
Tuesday, July 26, 2022, 6:35 pm87Amazon LGB3, Eastvale
Wednesday, July 27, 2022, 8:42 am87Euclid & Holt, Ontario
Wednesday, July 27, 2022, 6:35 pm87Amazon LGB3, Eastvale
Thursday, July 28, 2022, 6:39 am87Euclid & Holt, Ontario
Thursday, July 28, 2022, 6:35 pm87Amazon LGB3, Eastvale
Thursday, July 28, 2022, 7:20 pm61Plum & Holt, Ontario
Thursday July 28, 2022, 9:52 pm61Ontario Mills, Ontario
Friday, July 29, 2022, 6:39 am87Euclid & Holt, Ontario
Friday, July 29, 2022, 8:35 am87Amazon LGB3, Eastvale
Friday, July 29, 2022, 10:00 am66Vineyard & Foothill, Rancho Cucamonga
Friday, July 29, 2022, 11:26 am14Fontana Metrolink
Friday, July 29, 2022, 11:53 am82Fontana Metrolink
Friday, July 29, 2022, 12:08 pm66Fontana Metrolink
Hypothetical logging of trips on Omnitrans Pass 12345.

Even if you are not familiar with California’s Inland Empire, you can probably classify these trips into the following categories:

  • Trips that are probably legitimate.
  • Trips that may or may not be legitimate.
  • Trips that are probably fraudulent.
  • Trips that are definitely fraudulent.

For the most part, you can’t know with certainty about the legitimacy of most of these trips. Here’s a story that fits the facts.

  • Jack Jones starts his new job at Amazon on Monday, and works Monday and Tuesday with no incident. Jack overslept on Wednesday and was written up. He made sure to arrive at work on time Thursday, and at the end of the day he celebrated with a dinner at a restaurant in the Ontario Mills shopping center. After arriving at work on Friday, Sara Smith picked his pocket and took his pass, fleeing the scene an hour later and making her way to Fontana. She creates several clones of the bus pass and sells them at a discount before fleeing herself. Therefore, all trips beginning on Friday at 8:35 am are fraudulent.

But that might not be the true story. This one also fits the facts.

  • Jack Jones starts his new job at Amazon on Monday, and works Monday and Tuesday with no incident. On Wednesday Jack calls in sick, but lets his housemate Bob Brown (who also works at Amazon) use his pass on Wednesday and Thursday. By Thursday evening, Jack is feeling better, retrieves his pass from his housemate, and goes to Ontario Mills for the evening. On Friday Jack goes to work and is fired. He boards the 87, misses his stop in Ontario, and stays on the bus until he reaches Rancho Cucamonga. Despondent, he decides to visit his friend in Fontana. However, his Fontana friend, Sara Smile, secretly created several clones of Jack’s bus pass and sells them at a discount. Therefore, the Wednesday trips, the Thursday day trips, and all Friday trips beginning at 11:26 am are fraudulent.

Or perhaps some other set of facts fit the data.

  • It’s possible that the pass was stolen before it was ever used and all of the trips are fraudulent.
  • Or perhaps every trip before arriving in Fontana is legitimate, but how can we tell which one (if any) of the three trips from Fontana was undertaken by the true passholder?

But the data that Omnitrans captured provides a way to challenge the pass holder for possibly fraudulent trips.

  • If Omnitrans is really suspicious for some reason, it may choose to challenge every trip that didn’t take place at the “regular” times of 6:39 am or 6:35 pm. “Why are you boarding the 87 bus at this hour of the morning?” “Why are you boarding the 61 bus?”
  • Or Omnitrans may assume that all of the trips are reasonable and don’t necessitate a challenge. Yes, someone can go to work late. Yes, someone can go to Ontario Mills for the evening. Well, all of them are reasonable until Friday at 11:53 am, when a passholder boards a bus at the same location where the same passholder supposedly departed at 11:26 am.

Now even if strict identity checks are used with the “why?” statement, the data alone can’t detect all fraud. If Jack Jones and Bob Brown both work the day shift at Amazon, but on alternate days, how can Omnitrans detect the days when Jack Jones leaves Ontario at 6:39 am, vs. the days when Bob Brown leaves Ontario at 6:39 am?

Again, no identity proofing method is 100% foolproof.

But the “why?” question may detect some forms of fraud.

Or are there really only five factors of authentication after all?

Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”

Anyway, thank you for engaging my tangent. If I can think of a “why?” example that doesn’t involve something you do, I’ll post it here. That will help me in my hopeful (?) quest to become the inventor of the sixth factor of authentication.

What about the businesses in cities where my bus trips took place?

But back to the businesses in Ontario, Eastvale, Rancho Cucamonga, Fontana, and other cities: need some content help? I can create esoteric long-winded content like this, or (what you probably want) more concise, customer-focused content that conveys your important message. My regular work includes case studies, white papers, proposal services, and other types of content. If you need someone to help you create this content:

The sixth factor of multi factor authentication (you heard it here first!)

As many of my readers know, there are a variety of ways for people to individually identify themselves.

The National Institute of Standards and Technology recognizes three of these authentication factors:

Password generator software screen
By Dominik Reichl – http://keepass.info/screenshots.html, GPL, https://commons.wikimedia.org/w/index.php?curid=1635930
  • The most commonly known authentication factor is “something you know.” This includes such items as passwords, personal identification numbers (PINs), and the name of your childhood pet. This authentication factor is very common and very controversial, to the point where some want to eliminate it altogether. (I don’t.)
  • Another authentication factor that I know very well is “something you are.” Biometrics such as fingerprint identification and facial recognition falls into this category, as well as gait recognition, “behavioral biometrics,” and other biometric identifiers.
  • The third authentication factor that NIST recognizes is “something you have.” This could be a driver’s license, a passport, a key fob, a smartphone, or perhaps a digital identity application.
Maryland driver's license of Kirk Noble Bloodsworth.
By State of Maryland – https://www.youtube.com/watch?v=fVVh-wt1FH0, Public Domain, https://commons.wikimedia.org/w/index.php?curid=93876613

But those aren’t the only authentication factors. Two others have been identified, as I have previously noted.

  • “Something you do” differs from both gait recognition and behavioral biometrics, because this is not an inherent property of your being, but is a deliberate set of actions on your part. For example, you could gain access to a nuclear facility by putting your left foot in, putting your left foot out, putting your left foot, in and shaking it all about. Note, however, that this particular “something you do” is as common as the password “12345” and should be avoided.
  • And the fifth factor is “somewhere you are.” For example, if I am buying something at a a store in Virginia, but I am physically in California, something appears to be wrong.
GPS network illustration
By Éric Chassaing – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=8876959

OK, that’s it. End of post. Those are the five authentication factors. There aren’t any more, and there never will be any more. Oh sure, you could come up with a sixth authentication factor, but chances are that it would map into one of the five existing authentication factors.

Or maybe not.

Why?

I’d like to propose a sixth authentication factor.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

Man smoking a cigarette and stacking hats on a fire hydrant
Why is this man smoking a cigarette outdoors? By Marek Slusarczyk, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=108924712

Let me give you an example. Assume for the moment that I am at a McDonald’s in Atlantic City and want to use my brand new credit card to buy some healthy Irish cuisine.

McDonald's food
Not in Atlantic City. By TeaLaiumens – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=37026979

You could, of course, apply the existing authentication factors to this transaction:

  • I physically have the credit card.
  • I know the PIN that is associated with the credit card.
  • My face matches the face of the person who owns the credit card.
  • I am physically at the McDonald’s where the food is for sale, and I physically have a hotel key associated with a nearby hotel, and I physically have a badge associated with a trade show in the city. (The latter two facts are actually a combination of “something you have” and “somewhere you are,” but I threw them here for the fun of it.)
  • If my credit card company has implemented it, I can perform the super secret finger pattern (or hokey pokey dance) associated with this account.

But even if all of these factors are authenticated, or even if some of them are not, does it make sense that I would be purchasing a meal at a McDonald’s in Atlantic City?

  • Did I recently book a flight and fly from my California home to Atlantic City? This could explain “why” I was there.
  • Is it lunchtime? This could explain “why” I was making this transaction.
  • Is my stomach growling? This could indicate that I am hungry, and could explain “why” I was at such a fine food establishment.

Admittedly, employing data warehousing and artificial intelligence to use the “why” factor to authenticate a small fast food purchase is overkill, just like it’s overkill to require three biometric identifiers and a passport to open a physical mailbox.

But perhaps use of such an authentication factor would be appropriate at a critical infrastructure facility such as a nuclear power plant.

nuclear power plant
By Avda – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=26894741

Assume for the moment that I am a double agent, employed the the U.S. Department of Energy but secretly a spy for an enemy country. All of the five authentication factors check out, and I am the person who is authorized to visit a particular nuclear power plant.

But why am I there?

Am I there for some regular U.S. Department of Energy business that is totally above board?

Or am I there for some other unknown reason, such as theft of secrets or even sabotage?

How to implement the “why?” authentication factor

I believe that a “why?” authentication factor could be very powerful, but it would take some effort to implement it.

First, the authentication system would have to access all the relevant data. In the McDonald’s example above, that includes (a) my flight data, (b) the time of day, and (c) my health data (“biometrics” in the broader sense). In the nuclear power plant example, the authentication system would have to know things such as nuclear power plant inspection schedules, trip authorizations from my supervisor, and other data that would indicate a reason for me to be at the plant. That’s a lot of data.

Neural network
By en:User:Cburnett – This W3C-unspecified vector image was created with Inkscape ., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1496812

Second, the authentication system would have to process all the relevant data to glean knowledge from it. By itself, the data points “United Flight 123 from Ontario to Atlantic City yesterday,” “1:30 pm,” and “haven’t eaten in six hours” do not allow the system to make an authentication decision.

Third, the authentication system would have to collect and protect that mass of data in a way that protects my privacy and the privacy of others. In the United States at present, this is where the whole system would probably fall apart. While a whole bunch of data is collected about us and placed in silos (the TSA-airline silo, for example), putting it all together could be pretty scary to some. Although certain lawyers in Illinois would love the moneymaking opportunities that such a system could provide via Illinois Biometric Information Privacy Act lawsuits.

So a complete implementation of the “why” authentication factor is probably impossible for now, due to both technical and societal constraints.

But is it possible to implement a subset of the “why” authentication factor? For example, since a company presumably has access to employee corporate travel schedules, could the company use the knowledge of an employee’s flight from Chicago to Los Angeles on Sunday to provide the employee with physical access to the firm’s Southern California office on Monday?

Something to think about.

Maybe I should speak to a patent attorney.