This morning I was attending a NIST webinar on mobile driver’s license use at financial institutions, and began looking at the services I could access in April 2026 with my California mobile driver’s license—financial and otherwise.
But today I learned that some services are NOT available with the mDL in my Apple Wallet, but ONLY while using the “CA DMV Wallet” app.
So I downloaded the app, which I last used in my initial unsuccessful attempt to obtain an mDL. (I finally used Apple’s facility to get one.) I assumed that since I already had my mDL in my Apple Wallet, it would automatically show up in the app.
You know what happens when you assume. My buddy Google Gemini pointed it out to me.
“It’s a common point of confusion, but the Apple Wallet and the CA DMV Wallet app are actually two separate “containers” for your digital ID. Because California uses a secure, decentralized system, your mDL doesn’t automatically sync between them. Even if it’s already in your Apple Wallet, you have to go through a separate enrollment process to “provision” it into the DMV’s official app.”
Which meant that I had to enroll again and get another decentralized mDL, which I did. (After some difficulty; it took four separate attempts to capture my facial image, which was only successful when I went into a very dark room.)
Now that my mDL is in this second wallet, I could go ahead an enroll in the TruAge program for age verification at a private retailer.
Google Gemini.
As I type this, TruAge hasn’t processed my application.
And now for a word from our sponsor
Mobile driver’s licenses are a digital form of “something you have,” which is a factor of identity verification and authentication.
Would you like to learn about all six of the identity verification and authentication factors? (Not three. Not five.)
“I think too much knowledge is actually bad in tech: you’re biased.”
Why does this quote affect me so deeply? Because with my 30-plus years of identity/biometric experience, I obviously have too much knowledge of the industry, which is obviously bad. After all, all a biometric company needs is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else. The company doesn’t need someone who knows that Printrak isn’t spelled with a C.
Google Gemini.
In this post I will share three of the “biases” I have developed in my 30-plus years in identity and biometrics, and how to correct these biases by stripping away that 20th century experience and applying novel thinking.
And if that last paragraph made you throw up in your mouth…read to the end of the post.
But first, let’s briefly explore these three biases that I shamefully hold due to my status as a biometric product marketing expert:
Independent algorithmic confirmation is valuable.
Process is valuable.
Artificial intelligence is merely a tool.
Biometric product marketing expert.
Bias 1: Independent Algorithmic Confirmation is Valuable
But how do prospects know that these algorithms work? How accurate are they? How fast are they? How secure are they?
My bias
My brain, embedded with over 30 years of bias, gravitates to the idea that vendors should submit their algorithms for independent testing and confirmation.
From a NIST facial recognition demographic bias text.
This could be an accuracy test such as the ones NIST and DHS administer, or confirmation of presentation attack detection capabilities (as BixeLab, iBeta, and other organizations perform), or confirmation of injection attack detection capabilities.
Novel thinking
But you’re smarter than that and refuse to support the testing-industrial complex. They have their explicit or implicit agendas and want to force the biometric vendors to do well on the tests. For example, the U.S. Federal Bureau of Investigation’s “Appendix F” fingerprint capture quality standard specifically EXCLUDES contactless solutions, forcing everyone down the same contact path.
But you and your novel thinking reject these unnecessary impediments. You’re not going to constrain yourself by the assertions of others. You are going to assert your own benefits. Develop and administer your own tests. Share with your prospects how wonderful you are without going through an intermediary. That will prove your superiority…right?
Bias 2: Process is Valuable
A biometric company has to perform a variety of tasks. Raise funding. Hire people. Develop, market, propose, sell, and implement products. Throw parties.
How will the company do all these things?
My bias
My brain, encumbered by my experience (including a decade at Motorola), persists in a belief that process is the answer. The process can be as simple as scribblings on a cocktail napkin, but you need some process if you want to cash out in a glorious exit—I mean, deliver superior products to your customers.
Perhaps you need a development processs that defines, among other things, how long a sprint should be. A capture and proposal process (Shipley or simpler) that defines, among other things, who has the authority to approve a $10 million proposal A go-to-market process that defines the deliverables for different tiers, and who is responsible, accountable, consulted, and informed. Or maybe just an onboarding process when starting a new project, dictating the questions you need to ask at the beginning.
Bredemarket’s seven questions. I ask, then I act.
Novel thinking
Sure all that process is fine…if you don’t want to do anything. Do you really want to force your people to wait two weeks for the latest product iteration? Impose a multinational bureauracy on your sales process? Go through an onerous checklist before marketing a product?
Google Gemini.
Just code it.
Just sell it.
Just write it.
Bias 3: Artificial Intelligence is Merely a Tool
The problem with experienced people is that they think that there is nothing new under the sun.
You talk about cloud computing, and they yawn, “Sounds like time sharing.” You talk about quantum computing, and they yawn, “Sounds like the Pentium.” You talk about blockchain, and they yawn, “Sounds like a notary public.”
My bias
As I sip my Pepperidge Farm, I can barely conceal my revulsion at those who think “we use AI” is a world-dominating marketing message. Artificial intelligence is not a way of life. It is a tool. A tool that in and of itself does not merit much of a mention.
Google Gemini.
How many automobile manufacturers proclaim “we use tires” as part of their marketing messaging? Tires are essential to an automobile’s performance, but since everyone has them, they’re not a differentiator and not worthy of mention.
In the same way, everyone has AI…so why talk about its mere presence? Talk about the benefits your implementation provides and how these benefits differentiate you from your competitors.
Novel thinking
Yep, the grandpas that declare “AI is only a tool” are missing the significance entirely. AI is not like a Pentium chip. It is a transformational technology that is already changing the way we create, sell, and market.
Therefore it is critically important to highlight your product’s AI use. AI isn’t a “so what” feature, but an indication of revolutionary transformative technology. You suppress mention of AI at your own peril.
How do I overcome my biases of experience?
OK, so I’ve identified the outmoded thinking that results from too much experience. But how do I overcome it?
I don’t.
Because if you haven’t already detected it, I believe that experience IS valuable, and that all three items above are essential and shouldn’t be jettisoned for the new, novel, and kewl.
Are you a identity/biometric marketing leader who needs to tell your prospects that your algorithms are validated by reputable independent bodies?
Or that you have a process (simple or not) that governs how your customers receive your products?
Or that your AI actually does unique things that your competitors don’t, providing true benefits to your customers?
Bredemarket can help with strategy, analysis, content, and/or proposals for your identity/biometric firm. Talk to me (for free).
By the way, here’s MY process (and my services and pricing).
Don’t get violent at a Transportation Security Administration (TSA) checkpoint. If you do, you may not fly anywhere…or drive or walk anywhere either.
Here’s the story of a man named Idress Vinay Solomon who was preparing to board a Southwest Airlines flight from Dallas’ Love Field to Oakland on March 10. Somehow Mr. Solomon missed the memo that you need a REAL ID or equivalent to board a plane. Something that has been discussed for decades, since passage of the Real ID Act of 2005.
But as readers of the Bredemarket blog know, despite years of declarations that you must have a REAL ID to fly, you don’t need one. The TSA launched ConfirmID this year, an alternate identity confirmation service for those who don’t have approved identity documentation. You pay $45, and TSA confirms your identity via other methods.
“[T]he Oakland resident allegedly started reacting aggressively and attacked the officers present. During this incident, he punched a [Dallas Police Department] officer multiple times, resulting in the officer suffering an “orbital blowout fracture” in his left eye.”
“A blowout fracture is the most common type of orbital fracture. This fracture is a break along the floor or thin inner wall of your eye socket. Getting hit in the eye with something like a fist or a baseball most often causes blowout fractures.”
The Cleveland Clinic does not indicate whether iris identification is affected by blunt force trauma.
But let’s return to “Love” Field.
The police officer was hospitalized, and Solomon remains in custody. If convicted, he could face up to 20 years in federal prison, as confirmed by the Department of Justice.
“Violent conduct perpetrated against TSA and law enforcement officers will never be tolerated in the Northern District of Texas,” said U.S. Attorney Ryan Raybould. “We will prosecute such offenses to the fullest extent to seek justice for the victims here and to deter others from resorting to aggressive attacks against officers responsible for ensuring the public’s safety while traveling.”
Remember when people were told that REAL ID would be mandatory? Beginning on whatever date REAL ID became mandatory…it became mandatory. If you didn’t have REAL ID, or another acceptable form of identification (AFOID), you weren’t getting on that plane. (Among other things.)
Well, that was a lie.
As I noted in December, the Transportation Security Administration was officially allowing an alternative acceptable form of identification (AAFOID???). An item ran in the Federal Register with this text:
“The Transportation Security Administration (TSA) is launching a modernized alternative identity verification program for individuals who present at the TSA checkpoint without the required acceptable form of identification (AFOID), such as a REAL ID or passport. This modernized program provides an alternative that may allow these individuals to gain access to the sterile area of an airport if TSA is able to establish their identity.”
But there was going to be a fee.
“To address the government-incurred costs, individuals who choose to use TSA’s modernized alternative identity verification program will be required to pay an $18 fee.”
Well, that was a lie. (Yes, “Lyin’ Eyes” is still on my mind.)
Here’s a quote from TSA’s February 5 press release:
“Passengers without REAL IDs or other acceptable forms of identification have the option to use TSA ConfirmID by paying a $45 fee for a 10-day travel period.”
For those who are math-challenged, $45 is over twice as much as $18.
TSA’s hope of course is that if the law won’t force you to get a REAL ID, money will.
The image at the top of this post was taken from the NIST website and is a from an interoperability slide in a 2016 FBI presentation. Although the reference to “IAFIS” suggests that the image was created long before 2016. No NGI, and no HART either.
Because—while this may make some uncomfortable—biometric interoperability between the Departments of Defense, Homeland Security, and Justice is critically important.
For years after 9/11, the (then) systems from the three Departments were NOT interoperable.
Which made it difficult to identify if a military person or citizenship applicant was a criminal.
Today, while the three current systems use three different data interchange standards (based upon work by NIST), they CAN talk to each other.
We just have to ensure that the interoperability is legal and proper.
This fact, and other irregularities in the visas and passports of the 9/11 hijackers, directly led to the mandate that the U.S. implement biometric exit…which has been delayed more often than REAL ID.
In theory, enforcement of visa expirations with biometric exit is simple.
If you can tell who has entered a country and who has left a country, then you can identify people who have NOT left the country, but whose visas have expired.
And you can tell entries and exits via biometrics, as long as a person’s biometrics are acquired through the passport and/or visa process.
So if biometric exit had existed in January 2001, then a (theoretically) quick check could show that al-Hazmi had NOT left the United States and was still here on an expired visa. He could have been kicked out of the country and barred from returning, and therefore wouldn’t be on a plane on September 11.
The only problem is that EVERYONE needs to be processed when leaving the country for the system to work. At a minimum, anyone who cannot prove U.S. citizenship would have to have their biometrics captured. Or just make it easy and capture everyone’s biometrics as they leave the United States.
“The coalition—led by the Electronic Frontier Foundation, the American Civil Liberties Union and the Canadian-U.S. cross-border group OpenMedia—contends that capturing images of lawful permanent residents exceeds DHS’s statutory mandate and creates a de-facto travel dossier vulnerable to data breaches.”
“THE DEPARTMENT OF Homeland Security is moving to consolidate its face recognition and other biometric technologies into a single system capable of comparing faces, fingerprints, iris scans, and other identifiers collected across its enforcement agencies, according to records reviewed by WIRED.”
But those very “records reviewed by WIRED” include this statement:
“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”
And even if this actually WAS a true procurement…HART was originally announced during the Obama administration in 2016. Ten years later, it still hasn’t happened.
Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.
I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.
As does Biometric Update.
Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:
“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”
But then Biometric Update ran a more recent story.
They said that?
Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.
And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.
OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.
Not just ineffective, DISASTROUSLY ineffective. Ouch.
For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).
DHS set performance goals for the submitted entries and publicized the (anonymous) results.
“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”
Google Gemini.
Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.
On anonymity
Why do testing entities sometimes allow participants to remain anonymous?
Because they want participants.
Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.
Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.
An interesting Request for Information (Notice ID 70RDA126RFI000003) for a multi-biometric matching system was posted on SAM.gov on Friday, and it’s turning some heads. But is YOUR organization reading an RFI that is turning YOUR heads?
Bear in mind that this is a Request for INFORMATION, not a Request for PROPOSAL. And this is made clear in the document:
“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”
Forget the technical requirements…look at the BUSINESS requirements
Now I could get into the…um…minutiae of the request for information about a biometric matching system, the requirements for everything from presentation attack detection to on-premise/hybrid/cloud deployments, and a host of other things.
But in this case, the business requirements outweigh the technical requirements…by a LONG shot.
“The Department of Homeland Security (DHS) is seeking an enterprise-wide, scalable, and secure biometric matching software solution to support mission-critical identity verification, vetting, and investigative operations across all DHS Components, including CBP, ICE, TSA, USCIS, USSS, and Headquarters. The contractor will provide a DHS-wide enterprise license for multi-modal biometric matching software, along with all associated services, integration support, maintenance, and technical assistance necessary for full operational deployment.”
And in the next section:
“DHS is looking to acquire an enterprise-wide biometric matching software solution, including all licenses, services, and technical support necessary to enable seamless integration with all DHS biometric systems.”
Matching for ALL DHS components, and integration with ALL DHS biometric systems. This could just be a teeny system for limited operations…or it could be a super system. Since they’re asking about scalability, potential respondents should probably assume the latter.
So we’re talking loads of money.
Of course it could be scaled way down when or if a final RFP comes along. And maybe the vast expanse of the RFI is merely designed to get system integrators to drool.
Incidentally, Bredemarket offers proposal services to assist identity/biometric vendors in RFI and RFP responses such as this one. Over the years my proposals have won over $50 million in business. Presumably the respondents to this RFI have full proposal staffs (or maybe not), but if YOUR organization requires RFI and RFP assistance, schedule a meeting with Bredemarket.
Bredemarket services, process, and pricing.
(2/17/2026: See Anthony Kimery’s assessment of the RFI here.)
I was working with these sectors back when I was at MorphoTrak.
“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7.”
Bredemarket 