Identity/biometrics/technology marketing and writing services
So Deloitte announced the results of a survey earlier this month.
“The fifth annual Deloitte “Connected Consumer” survey reveals that consumers have a positive perception of their technology experiences and are increasingly embracing GenAI. However, they are determined to seek balance in their digital lives and expect trust, accountability, and transparency from technology providers.”
Deloitte conducted the survey BEFORE the RIBridges hack.
I originally worked with state benefits systems during my years at Printrak, and have performed analysis of such systems at Bredemarket. These systems store sensitive personal data of many Americans, including myself. And they are therefore a target for hackers.
A huge benefits system was hacked in Rhode Island, according to the State.
“On December 5, the State was informed by its vendor, Deloitte, that the RIBridges data system was the target of a potential cyberattack….”
That was just the beginning.
“On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte. On December 11, Deloitte confirmed that there is a high probability that the implicated folders contain personally identifiable information from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat.”
RIBridges is…um…a bridge from Rhode Island residents to various Federally sponsored but State administered benefits programs, including:
State benefits systems such as RIBridges are complex and often hosted on old infrastructure that requires modernization. (“Modernization” is a great buzzword to use to toss around when describing aging state computer systems, as I know from my years working with driver’s license and biometric identification systems.) The older and more complex the system, the easier to hack.
This complexity is certainly true of Deloitte’s hacked RIBridges system.
“Gov. Daniel McKee…said the state will pay the firm $99 million over the next three years to manage and build out the RIBridges computer system….The firm has been developing the software, which handles the state’s Medicaid, SNAP and other welfare programs, since 2016, though delays and errors during (previous Governor) Raimondo’s administration caused the state to overspend by at least $150 million as of 2019, the last time the state renewed Deloitte’s contract.”
Why is Deloitte’s performance less than ideal? Anthony Kimerv of Biometric Update explains the issues facing RIBridges.
“Federal agencies, including the federal Centers for Medicare and Medicaid Services, had warned Rhode Island before the system’s launch that it was not ready for deployment….RIBridges proceeded despite clear operational risks, leading to immediate and widespread problems. The launch resulted in significant disruptions to benefits distribution, with thousands of residents experiencing delays in receiving critical assistance. Backlogs soared, with more than 20,000 cases piling up due to system malfunctions.”
After much time and effort the backlogs decreased, but the treasure trove of personally identifiable information (PII) remained a target.
“As a central repository for sensitive personal data, including financial information and health records, RIBridges became a potential target for cyberattacks. Security audits revealed vulnerabilities in the system’s defenses….Cybercriminals exploited weaknesses in RIBridges to access sensitive data. The attackers bypassed existing security measures, inserted malicious code, and obtained unauthorized access. The breach exposed flaws in the system’s technical defenses and highlighted issues with its oversight and vendor management.”
So now the system is down, applicants are using paper forms, and a cyber criminal is requesting a payout.
(Image by Google Gemini)
(Part of the biometric product marketing expert series)
(August 1, 2025: image img_2522-1.jpg and video flat2412a-1_mp4_hd_1080p.original.jpg?h=1378 removed by request)
(also deleted related content on Bluesky, Facebook, LinkedIn, TikTok personal, and YouTube)
If the world is flat…
…there’s no need to look beyond the horizon.
…only the current quarter counts.
If you want to survive…
…think beyond the current quarter.
…invest in the long term.
…invest in product marketing.
…invest in a product marketer.
John E. Bredehoft on LinkedIn: LINK
I’m seeking a Senior Product Marketing Manager role in software (biometrics, government IDs, geolocation, identity and access management, cybersecurity, health) as an individual contributor on a collaborative team.
Key Accomplishments
Multiple technologies.
Multiple industries.
Over 22 types of content.
Currently available for full-time employment or consulting work (Bredemarket).
More details on the latter at Bredemarket’s “CPA” page.
From thecybersecurityhub on Instagram.
Happy Halloween. Scary?
The Cyber Security Hub credits VicariusLtd.
Both the U.S. National Institute of Standards and Technology and the Digital Benefits Hub made important announcements this morning. I will quote portions of the latter announcement.
The National Institute of Standards and Technology (NIST), the Digital Benefits Network (DBN) at the Beeck Center for Social Impact + Innovation at Georgetown University, and the Center for Democracy and Technology (CDT) are collaborating on a two-year-long collaborative research and development project to adapt NIST’s digital identity guidelines to better support the implementation of public benefits policy and delivery while balancing security, privacy, equity, and usability….
In response to heightened fraud and related cybersecurity threats during the COVID-19 pandemic, some benefits-administering agencies began to integrate new safeguards such as individual digital accounts and identity verification, also known as identity proofing, into online applications. However, the use of certain approaches, like those reliant upon facial recognition or data brokers, has raised questions about privacy and data security, due process issues, and potential biases in systems that disproportionately impact communities of color and marginalized groups. Simultaneously, adoption of more effective, evidence-based methods of identity verification has lagged, despite recommendations from NIST (Question A4) and the Government Accountability Office.
There’s a ton to digest here. This impacts a number of issues that I and others have been discussing for years.
NIST’s own press release, by the way, can be found here.
The 438 U.S. federal agencies (as of today) probably have over 439 different security requirements. When you add state and local agencies to the list, security compliance becomes a mind-numbing exercise.
But I don’t care about those. (Actually I do, but for the next few minutes I don’t.) Instead, let’s talk FedRAMP.
The two standards that I mentioned above apply to particular government agencies. Sometimes, however, the federal government attempts to create a standard that applies to ALL federal agencies (and other relevant bodies). You can say that Login.gov is an example of this, although a certain company (I won’t name the company, but it likes to ID me) repeatedly emphasizes that Login.gov is not IAL2 compliant.
But forget about that. Let’s concentrate on FedRAMP.
The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.
From https://www.fedramp.gov/program-basics/.
Note the critical word “unclassified.” So FedRAMP doesn’t cover EVERYTHING. But it does cover enough to allow federal agencies to move away from huge on-premise server rooms and enjoy the same SaaS advantages that private entities enjoy.
Today, government agencies can now consult a FedRAMP Marketplace that lists FedRAMP offerings the agencies can use for their cloud implementations.
When I helped MorphoTrak propose its first cloud-based automated biometric identification solutions, our first customers were state and local agencies. To propose those first solutions, MorphoTrak partnered with Microsoft and used its Azure Government cloud. While those first implementations were not federal and did not require FedRAMP authorization, MorphoTrak’s successor IDEMIA clearly has an interest in providing federal non-classified cloud solutions.
When IDEMIA proposes federal solutions that require cloud storage, it can choose to use Microsoft Azure Government, which is now FedRAMP authorized.
It turns out that a number of other FedRAMP-authorized products are partially dependent upon Microsoft Azure Government’s FedRAMP authorization, so continued maintenance of this authorization is essential to Microsoft, a number of other vendors, and all the agencies that require secure cloud solutions.
They can only hope that the GSA Inspector General doesn’t find fault with THEM.
But assuming that doesn’t happen, is it worthwhile for vendors to pursue FedRAMP compliance?
If you are a company with a cloud service, there are likely quite a few questions you are asking yourself about your pursuits in the Federal market. When will the upward trajectory of cloud adoption begin? What agency will be the next to migrate to the cloud? What technologies will be migrated? As you move forward with your business development strategy you will also question whether FedRAMP compliance is something you should pursue?
The answer to the last question is simple: Yes. If you want the Federal Government to purchase your cloud service offering you will, sooner or later, have to successfully navigate the FedRAMP process.
From https://www.mindpointgroup.com/blog/fedramp-compliance-is-it-worth-it.
And a lot of companies are doing just that. But with less than 400 FedRAMP authorized services, there’s obviously room for growth.
Government Technology posted an article on a ransomware attack that affected Ardent Health Services facilities in multiple U.S. states, including Texas, Idaho, New Mexico, Oklahoma, New Jersey, and Kansas over Thanksgiving Day, requiring some ambulances to be diverted and some services suspended.
Government Technology observed:
The Thanksgiving timing of the attack is unlikely to be coincidental. Hackers are believed to see holiday weekends as an opportunity to strike while network defenders and IT are likely “at limited capacity for an extended time,” the Cybersecurity and Infrastructure Security Agency (CISA) has noted.
From https://www.govtech.com/security/ransomware-impacts-health-care-systems-in-six-states
And it’s not like the hackers are necessarily having to pass up on their turkey dinner. Few if any holidays are universal, and over 7 billion people (including many hackers) did NOT celebrate Thanksgiving last Thursday.
Does this mean that companies need to INCREASE security staff during holiday periods?
We’ve come a long way since the days of Marcus Welby, M.D. (who was a fictional character).
A “hallucination” occurs when generative AI is convinced that its answer is correct, even when it is wrong. These hallucinations could be a problem—in healthcare, literally a matter of life or death.
The Brookings Institution details several scenarios in which reliance on artificial intelligence can get messy from a legal (and ethical) standpoint. Here is one of them.
For example, a counselor may tell a patient with a substance use disorder to use an app in order to track cravings, states of mind, and other information helpful in treating addiction. The app may recommend certain therapeutic actions in case the counselor cannot be reached. Setting aside preemption issues raised by Food and Drug Administration regulation of these apps, important questions in tort law arise. If these therapeutic actions are contraindicated and result in harm to the patient or others, is the app to blame? Or does the doctor who prescribed the app bear the blame?
From https://www.brookings.edu/articles/when-medical-robots-fail-malpractice-principles-for-an-era-of-automation/
Who is going to ensure that these bots can be trusted?
That’s right. WHO is going to ensure that these bots can be trusted.
A World Health Organization publication…
…underscores the critical need to ensure the safety and efficacy of AI systems, accelerating their availability to those in need and encouraging collaboration among various stakeholders, including developers, regulators, manufacturers, healthcare professionals, and patients.
From https://www.openaccessgovernment.org/who-outlines-responsible-regulations-needed-for-artificial-intelligence-in-healthcare/170622/
According to WHO, its document proposes six areas of artificial intelligence regulation for health.
From https://www.who.int/news/item/19-10-2023-who-outlines-considerations-for-regulation-of-artificial-intelligence-for-health
- To foster trust, the publication stresses the importance of transparency and documentation, such as through documenting the entire product lifecycle and tracking development processes.
- For risk management, issues like ‘intended use’, ‘continuous learning’, human interventions, training models and cybersecurity threats must all be comprehensively addressed, with models made as simple as possible.
- Externally validating data and being clear about the intended use of AI helps assure safety and facilitate regulation.
- A commitment to data quality, such as through rigorously evaluating systems pre-release, is vital to ensuring systems do not amplify biases and errors.
- The challenges posed by important, complex regulations – such as the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States of America – are addressed with an emphasis on understanding the scope of jurisdiction and consent requirements, in service of privacy and data protection.
- Fostering collaboration between regulatory bodies, patients, healthcare professionals, industry representatives, and government partners, can help ensure products and services stay compliant with regulation throughout their lifecycles.
The 61 page document, “Regulatory considerations on artificial intelligence for health,” is available via https://iris.who.int/handle/10665/373421.
On Saturday, September 30, FindBiometrics and Acuity Market Intelligence released their joint document on the Biometric Digital Identity Prism.
For those who don’t know, the Prism presents an organized view of all of the digital identity companies—or at least the ones that FindBiometrics and Acuity Market Intelligence knew about. In the last few days, they were literally beggin’ to give companies a last chance for inclusion.
On Monday, I began to see a trickle of companies that talked about their place on the Prism, including iProov and Trustmatic.
But many companies remained silent. They have the right to do so, but it’s mystifying.
Why were they quiet?
What if they knew they had to say something…but they didn’t have someone to help them craft a statement?
If you need help making your statement to your prospects and customers, perhaps Bredemarket can assist.
I’ve been in the industry for 29 years, and remember when the “Big 3” were a (mostly) different Big 3.
If the biometric content marketing expert can help you with identity blog post writing (or identity LinkedIn article writing or whatever), contact me and we can work together to position your company.
(Part of the biometric product marketing expert series)
I know that I’m the guy who likes to say that it’s all semantics. After all, I’m the person who has referred to five-page long documents as “battlecards.”
But sometimes the semantics are critically important. Take the terms “factors” and “modalities.” On the surface they sound similar, but in practice there is an extremely important difference between factors of authentication and modalities of authentication. Let’s discuss.
To answer the question “what is a factor,” let me steal from something I wrote back in 2021 called “The five authentication factors.”
Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.
From https://bredemarket.com/2021/03/02/the-five-authentication-factors/
(By the way, if you search the series of tubes for reading material on authentication factors, you’ll find a lot of references to only three authentication factors, including references from some very respectable sources. Those sources are only 60% right, since they leave off the final two factors I listed above. It’s five factors of authentication, folks. Maybe.)
The one striking thing about the five factors is that while they can all be used to authenticate (and verify) identities, they are inherently different from one another. The ridges of my fingerprint bear no relation to my 16 character password, nor do they bear any relation to my driver’s license. These differences are critical, as we shall see.
In identity usage, a modality refers to different variations of the same factor. This is most commonly used with the “something you are” (biometric) factor, but it doesn’t have to be.
The identity company Aware, which offers multiple biometric solutions, spent some time discussing several different biometric modalities.
[M]any businesses and individuals (are adopting) biometric authentication as it been established as the most secure authentication method surpassing passwords and pins. There are many modalities of biometric authentication to pick from, but which method is the best?
From https://www.aware.com/blog-which-biometric-authentication-method-is-the-best/
After looking at fingerprints, faces, voices, and irises, Aware basically answered its “best” question by concluding “it depends.” Different modalities have their own strengths and weaknesses, depending upon the use case. (If you wear thick gloves as part of your daily work, forget about fingerprints.)
ID R&D goes a step further and argues that it’s best to use multimodal biometrics, in which the two biometrics are face and voice. (By an amazing coincidence, ID R&D offers face and voice solutions.)
And there are many other biometric modalities.
But the word “modalities” is not reserved for biometrics alone. The scientific paper “Multimodal User Authentication in Smart Environments: Survey of User Attitudes,” just released in May, includes this image that lists various modalities. As you can see, two of the modalities are not like the others.
In fact, each authentication factor has multiple modalities.
Modalities within a single authentication factor are more closely related than modalities within multiple authentication factors. As I mentioned above when talking about factors, there is no relationship between my fingerprint, my password, and my driver’s license. However, there is SOME relationship between my driver’s license and my passport, since the two share some common information such as my legal name and my date of birth.
What does this mean?
Therefore, while multimodal authentication is better tha unimodal authentication, multifactor authentication is usually better still (unless, as Incode Technologies notes, one of the factors is really, really weak).
As you can see, you need to be very careful when writing about modalities and factors.
You need a biometric content marketing expert who has worked with many of these modalities.
Actually, you need an identity content marketing expert who has worked with many of these factors.
So if you are with an identity company and need to write a blog post, LinkedIn article, white paper, or other piece of content that touches on multifactor and multimodal issues, why not engage with Bredemarket to help you out?
If you’re interested in receiving my help with your identity written content, contact me.
Bredemarket