Some technical marketers are expert at spinning soft fluffy stories about how their AI-powered toilet paper can cure cancer…which can be very persuasive as long as the prospects don’t ask any questions.
For example, let’s say you’re telling a Chick-fil-A in Kettering, Ohio that you’ll keep 17 year olds out of their restaurant. Are you ready when the prospect asks, “How do you KNOW that the person without ID is 17 years and 359 days old, and is not 18?”
Or let’s say you’re telling a state voter agency that you’ll enforce voter ID laws. Are you ready when the prospect asks, “How do you KNOW that the voter ID is real and not fake? Or that it is fake and not real?”
Be prepared to answer the tough questions. Expert testimonials. Independent assessments of your product’s accuracy. Customer case studies.
Analyze your product’s weaknesses. (And the threats, if you’re a SWOT groupie.)
For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.
“IAL3 is reserved for high-risk environments such as sensitive government services.”
How are solutions approved for a particular Identity Assurance Level?
Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)
“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.
You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
Component Services IAL2 approvals…and an IAL3 approval
Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.
With one exception.
“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”
So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.
But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?
Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.
“A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.
“The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.”
Proper implementation and configuration is essential.
The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.
Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:
“Cross device authentication allows a user to sign in with their device using a QR code.
“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.
“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”
“After entering their username and password on the phishing site, the user was presented with a QR code….
“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….
“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.
“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”
Presumably the FIDO Alliance will address this soon.
(Author’s preface: I was originally going to schedule this post for the middle of next week. But by the time I wrote it, the end of the post referenced a current event of astronomical proportions. Since said current event may be forgotten by the middle of next week, I am publishing it now.)
You get a message on a platform from someone you don’t know. The message may look something like this:
“John ,
“I hope this message finds you well. I came across your profile and was truly impressed by your background. While I’m not a recruiter, I’m assisting in connecting talented professionals with a startup that is working on a unique initiative.
“Given your experience, I believe you could be a fantastic fit for their senior consultant role. If you’re open to exploring this opportunity, I’d be happy to share more details and introduce you to the team directly. Please let me know if you’re interested!”
Let’s count the red flags in this message, which is one I actually received on May 30 from someone named David Joseph:
The author was truly impressed by my background, but didn’t cite any specifics about my background that impressed them. This exact same message could be sent to a biometric product marketing expert, a nuclear physicist, or a store cashier.
The author is not a recruiter, but a connector who will presumably pass me on to someone else. Why doesn’t the “someone else” contact me directly?
The whole unidentified startup working on a unique initiative story. Yes, some companies operate as stealth firms before revealing their corporate identity. Amway. Prinerica. Countless MLMs with bad reputations. Trust me, these initiatives are not unique.
That senior consultant title. Not junior consultant. Senior consultant. To make that envelope stuffing role even more prestigious.
I got the note and the note is even clearer
But I wasn’t really concerned with the message. I get these messages all the time.
So what concerned me?
The note attached to the message by the platform that hosted the message.
“Don’t know David? Ask David to verify their profile information before responding for added security.”
The platform, if you haven’t already guessed, is LinkedIn, the message a LinkedIn InMail.
Let’s follow the trail.
LinkedIn let “David” use the platform without verifying his identity or verifying that Randstad is truly his employer as his profile states.
LinkedIn sold “David” a bunch of InMail credits so that he could privately share this unique opportunity.
Now LinkedIn wants me to do its dirty work and say, “Hey David, why don’t you verify your profile?”
Now the one thing in LinkedIn’s favor is that LinkedIn—unlike Meta—lets its users verify their profiles for free. Meta charges you for this.
But again, why should I do LinkedIn’s dirty work?
Why doesn’t LinkedIn prevent users from sending InMails unless their profiles are verified?
The answer: LinkedIn makes a ton of money selling InMails to people without verified profiles. And thus makes money off questionable businesspeople and outright scammers.
Instead of locking down the platform and preventing scammers from joining the platform in the first place.
People are people, and why should it be that non-person entities (NPEs) are treated the same? The girl is NOT the robot.
Imagen 4.
Non-static
In a June 30 LinkedIn post, Eric Olden of Strata caused me to realize that my approach to NPEs is too uniform and needs to be more nuanced.
“Agentic identity isn’t just a new type of NHI. AI agents might functionally fall under the “non-human identity” umbrella—but that label doesn’t really cut it since we’re not talking about static service accounts or API keys.”
In a table published in the original post, Olden semantically defines NHIs as the persistent entities with unchanging privileges. Agentic identities, in Olden’s cosmos, are ephemeral.
But Olden identifies one additional distinction that has nothing to do with lifespan.
“AI agents are digital actors that can reason and make decisions across systems.”
Olden notes that the characteristics of agentic AI offer both power and risk.
“Modern architectures — cloud-native, ephemeral workloads, APIs, containers, robotic processes — don’t fit neatly into the account model. They’re fast, dynamic, and short-lived. They need access right now, based on who or what they are, where they run, and what they do.
“And here’s the shift: We don’t need to create an account for each of them. We just need to recognize the entity, validate it, and project a governed identity that can be used for access decisions.”
Are you having trouble finding an asset such as a digital identity or a commercial asset? If you are, there are ways to make things easier to find.
An example from the identity world
Identity Jedi David Lee recently shared his thoughts on “The Hidden Cost of Bad Identity Data (and How to Fix It).” Lee didn’t focus on the biometric data, but instead on the textual data that is associated with a digital identity.
“Let’s say you’re kicking off a new identity program. You know you need user location to drive access policies, governance rules, or onboarding flows. But your authoritative source has location data in five different formats—some say “NY,” others say “New York,” and some list office addresses with zip codes and floor numbers.
“You tell yourself: “We’ll clean it up later.”
“What you’ve really done is commit your future self to a much more expensive project.”
Garbage in, garbage out.
An example from the commerce world
Krassimir Boyanov of KBWEB Consult provides another example of a problem in his post “Why AEM Assets Smart Tagging Makes Your Marketing Work Easier.” Let’s say that you’re managing the images (the “assets”) that display on a company’s online website. You have thousands if not millions of images to manage. How do you find a particular image?
One way to do this is to “tag” each image with descriptive information.
But if you do it wrong, there will be problems.
“Tagging is inconsistent. If 10 people are tagging the items, the tags will probably be inconsistent. While one person tags an item as a “car,” another may tag a similar item as an “automobile.” Although the two assets are similar, this is hidden because of inconsistent tag use.”
Again, garbage in, garbage out.
An organizational solution from the identity world
Lee and Boyanov approach these similar problems from two perspectives.
Lee, as an Identity and Access Management (IAM) expert, approaches this as a business problem and offers the following recommendations (among others):
“Clean early, not late: Push for authoritative sources to normalize and codify the data before it hits the IAM system….
“Push accountability upstream: Don’t accept ownership of fixing problems you don’t control. Instead, elevate the data issue to the right stakeholder (hint: HR, IT, or Legal).”
While Lee can certainly speak to the technologies that can normalize and codify the data, he prefers in this post to concentrate on the organizational issues that cause dirty data, and on how to prevent these issues from reoccurring in the future.
A technological solution from the commerce world
Boyanov can also speak to business and organizational issues as an Adobe Experience Manager consultant who has helped multiple organizations implement the Adobe product. But in this case he concentrates on a technological approach offered by Adobe:
A Taxonomy is a system of organizing tags based on shared characteristics, which are usually hierarchical structured per organizational need. The structure can help finding a tag faster or impose a generalization. Example: There is a need to subcategorize stock imagery of cars. The taxonomy could look like:
Once the taxonomy is defined, assets can be tagged (preferably automatically) in accordance with the hierarchy.
Presumably David Lee’s identity world can similarly come up with a method to standardize addresses BEFORE they are added to an IAM system.
As deep as any ocean
Whether you’re dealing with a digital identity or a commercial asset, you need to ensure that you can find this asset in the future. This requires planning beforehand.
And a content creation project also requires planning beforehand, such as asking questions before beginning the project.
If you are an identity/biometric or technology firm that requires content creation, or perhaps proposal or analysis services, Bredemarket can help. After all, content creation is science…and art.
But perhaps you would prefer to hear from someone who knows what they’re talking about.
On a webcast this morning, C. Maxine Most of The Prism Project reminded us that the “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is scheduled for publication in May 2025, just a little over a month from now.
As with all other Prism Project publications, I expect a report that details the identity industry’s solutions to battle deepfakes and synthetic identities, and the vendors who provide them.
And the report is coming from one of the few industry researchers who knows the industry. Max doesn’t write synthetic identity reports one week and refrigerator reports the next, if you know what I mean.
At this point The Prism Project is soliciting sponsorships. Quality work doesn’t come for free, you know. If your company is interested in sponsoring the report, visit this link.
While waiting for Max, here are the Five Tops
And while you’re waiting for Max’s authoritative report on deepfakes and synthetic identity, you may want to take a look at Min’s (my) views, such as they are. Here are my current “five tops” posts on deepfakes and synthetic identity.
Now if you click on that link, you will see a “Verify” link at the top left.
From Credly.
And if you click on that”Verify,” this is what you get.
The verification.
So I have verified that I am allowed to call myself John E. Bredehoft, CF APMP. It’s allowed:
In the same manner, those who have achieved one of the APMP certifications can append the appropriate certification. In the case of APMP Foundation certification, that means that I can style myself as “John E. Bredehoft, CF APMP.” (Or “John E. Bredehoft, MBA, CF APMP, RSBC” if I want to be thorough. But I probably won’t, since “RSBC” stands for “Radio Shack Battery Club.”)
But have I REALLY verified that I have achieved this accomplishment? (Not the battery club one, the proposal one. Although it would be good to know whether I really have that MBA educational accomplishment.)
The identity problem
You see, despite how impressive that Credly link is, it doesn’t prove nothing.
Sure, somebody who claimed to be John E. Bredehoft sat down in 2021 and took an online exam.
But was that person truly John E. Bredehoft?
And even if he was, am I the same John E. Bredehoft who received the certification?
Maybe there were fraudsters along the way. Maybe someone else took the test and pretended to be Bredehoft. Or maybe I’m not Bredehoft.
Sure, at one point I whipped out a credit card with Bredehoft’s name on it. But that doesn’t prove identity.
You probably know the things that prove identity. A biometric modality, including the liveness of that modality. A government-issued identity document that matches the biometric. A sensible location (was the test taker in Ontario, California as expected?).
Now perhaps this is overkill for authenticating a proposal writer, but it may not be if you need a certified plumber.
And because I truly am me, I know I didn’t meet the CEU/CPD requirement by September 2023. I don’t know how many I did achieve; the APMP was changing its CEU/CPD tracking system in early 2022, and then I joined Incode and theoretically wasn’t writing proposals any more. Theoretically.
So in truth, my shiny badge only represents a dated accomplishment. John E. Bredehoft can no longer use the CF APMP designation.
Unless I add “Emeritus” or something.
And as for those cases in which the certifications and identities truly matter…
Well, Anthony Kimery of Biometric Update provided a…well, update. According to Thomas Shedd, who heads the GSA’s Technology Transformation Services (the organization in which the former 18F resided), we have nothing to worry about:
“‘“I can assure you that Login.gov’s work carries forward as a critical part of government-wide efforts to promote efficiency and fight fraud,’ Shedd wrote in a Monday email. ‘To that end we are working to accelerate Login’s roadmap. More to come on that soon.’”
Bredemarket 