Tag Archives: digital identity

Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough

(Picture designed by Freepik.)

(Part of the biometric product marketing expert series)

I’ve talked about Identity Assurance Levels 1, 2, and 3 on several occasions. Most notably regarding Login.gov’s initial failure to adhere to Identity Assurance Level 2 (IAL2). (Old news; after the pilot, Login.gov is now certified for IAL2.)

But as usually happens, IAL2 is yesterday’s news. Because biometric tech always gets harder better faster stronger.

Refresher on IAL1, IAL2…and IAL 3

Let’s review the three identity assurance levels.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.

When do you need IAL3? Mitek’s Adam Bacia clarifies:

“IAL3 is reserved for high-risk environments such as sensitive government services.”

How are solutions approved for a particular Identity Assurance Level?

Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)

But I doubt you would, um, trust my declaration.

Enter the Kantara Initiative, which manages an Identity Assurance Approval Process. For our purposes, we want to focus on the NIST 800-63 rev.3 class of approval:

“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

“Assurance Levels: IAL2, IAL3; AAL2, AAL3; FAL2, FAL3”

  • You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
  • It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
  • And you can also see that it offers approvals for FAL2 and FAL3. I’ve never discussed Federation Assurance Levels (FALs) before.

Component Services IAL2 approvals…and an IAL3 approval

Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.

With one exception.

“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”

So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.

Trust Swiftly has also designed a remote IAL3 solution, but I couldn’t find Trust Swiftly on the Kantara Initiative’s Trust Status List. Perhaps it was processed under another accredited assessor.

But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?

Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

PoisonSeed and FIDO Update

Update to my July 21 post “PoisonSeed: Cross-Device Authentication Shouldn’t Allow Authentication on a Fraudster’s Device.” FIDO’s cross-device authentication is NOT inherently insecure.

From Chris Burt at Biometric Update:

“A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.

“The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.”

Proper implementation and configuration is essential.

PoisonSeed: Cross-Device Authentication Shouldn’t Allow Authentication on a Fraudster’s Device

(Important July 30 update here.)

(Imagen 4)

The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.

Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:

“Cross device authentication allows a user to sign in with their device using a QR code. 

“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.

“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”

What could go wrong? Well, according to Expel, plenty:

“After entering their username and password on the phishing site, the user was presented with a QR code…. 

“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.

“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”

Presumably the FIDO Alliance will address this soon.

When Social Platforms Convert Users Into Identity Verification Salespeople

(Imagen 4)

(Author’s preface: I was originally going to schedule this post for the middle of next week. But by the time I wrote it, the end of the post referenced a current event of astronomical proportions. Since said current event may be forgotten by the middle of next week, I am publishing it now.)

As a proponent of identity verification and a biometric product marketing expert I should like this…but I don’t.

I got the message and the message is clear

You get a message on a platform from someone you don’t know. The message may look something like this:

“John ,

“I hope this message finds you well. I came across your profile and was truly impressed by your background. While I’m not a recruiter, I’m assisting in connecting talented professionals with a startup that is working on a unique initiative.

“Given your experience, I believe you could be a fantastic fit for their senior consultant role. If you’re open to exploring this opportunity, I’d be happy to share more details and introduce you to the team directly. Please let me know if you’re interested!”

Let’s count the red flags in this message, which is one I actually received on May 30 from someone named David Joseph:

  • The author was truly impressed by my background, but didn’t cite any specifics about my background that impressed them. This exact same message could be sent to a biometric product marketing expert, a nuclear physicist, or a store cashier.
  • The author is not a recruiter, but a connector who will presumably pass me on to someone else. Why doesn’t the “someone else” contact me directly?
  • The whole unidentified startup working on a unique initiative story. Yes, some companies operate as stealth firms before revealing their corporate identity. Amway. Prinerica. Countless MLMs with bad reputations. Trust me, these initiatives are not unique.
  • That senior consultant title. Not junior consultant. Senior consultant. To make that envelope stuffing role even more prestigious.

I got the note and the note is even clearer

But I wasn’t really concerned with the message. I get these messages all the time.

So what concerned me?

The note attached to the message by the platform that hosted the message.

“Don’t know David? Ask David to verify their profile information before responding for added security.”

The platform, if you haven’t already guessed, is LinkedIn, the message a LinkedIn InMail.

Let’s follow the trail.

  • LinkedIn let “David” use the platform without verifying his identity or verifying that Randstad is truly his employer as his profile states.
  • LinkedIn sold “David” a bunch of InMail credits so that he could privately share this unique opportunity.
  • Now LinkedIn wants me to do its dirty work and say, “Hey David, why don’t you verify your profile?”

Now the one thing in LinkedIn’s favor is that LinkedIn—unlike Meta—lets its users verify their profiles for free. Meta charges you for this.

But again, why should I do LinkedIn’s dirty work?

Why doesn’t LinkedIn prevent users from sending InMails unless their profiles are verified?

The answer: LinkedIn makes a ton of money selling InMails to people without verified profiles. And thus makes money off questionable businesspeople and outright scammers.

Instead of locking down the platform and preventing scammers from joining the platform in the first place.

It’s like LinkedIn openly embraces scammers.

And everyone knows it.

Imagen 4.

Agentic AI NPEs, Ephemeral and Non-Individual

People are people, and why should it be that non-person entities (NPEs) are treated the same? The girl is NOT the robot.

Imagen 4.

Non-static

In a June 30 LinkedIn post, Eric Olden of Strata caused me to realize that my approach to NPEs is too uniform and needs to be more nuanced.

“Agentic identity isn’t just a new type of NHI. AI agents might functionally fall under the “non-human identity” umbrella—but that label doesn’t really cut it since we’re not talking about static service accounts or API keys.”

In a table published in the original post, Olden semantically defines NHIs as the persistent entities with unchanging privileges. Agentic identities, in Olden’s cosmos, are ephemeral.

But Olden identifies one additional distinction that has nothing to do with lifespan.

“AI agents are digital actors that can reason and make decisions across systems.”

Olden notes that the characteristics of agentic AI offer both power and risk.

Impermanent

From ConductorOne.

ConductorOne shares Olden’s observations on agentic AI:

“Often ephemeral, existing for just seconds or minutes depending on the task.

“Requires role-based or task-specific access, rather than broad or persistent permissions.

“Capable of autonomous decision-making and executing actions in real-time.

“Built to integrate with existing systems and interact securely with other agents.

“Expands the potential for AI solutions by enabling action—not just insight or content.”

Unaccountable

Imagen 4.

So how do you set up individual accounts for these extremely powerful non-person entities that appear and disappear?

According to Juan Ignacio Torres Durán, you don’t.

“Modern architectures — cloud-native, ephemeral workloads, APIs, containers, robotic processes — don’t fit neatly into the account model. They’re fast, dynamic, and short-lived. They need access right now, based on who or what they are, where they run, and what they do.

“And here’s the shift: We don’t need to create an account for each of them. We just need to recognize the entity, validate it, and project a governed identity that can be used for access decisions.”

So no distinct individuality for NPEs. That’s an interesting…um…world.

(She’s Tidied Up and) I Can’t Find Anything

Are you having trouble finding an asset such as a digital identity or a commercial asset? If you are, there are ways to make things easier to find.

An example from the identity world

Identity Jedi David Lee recently shared his thoughts on “The Hidden Cost of Bad Identity Data (and How to Fix It).” Lee didn’t focus on the biometric data, but instead on the textual data that is associated with a digital identity.

“Let’s say you’re kicking off a new identity program. You know you need user location to drive access policies, governance rules, or onboarding flows. But your authoritative source has location data in five different formats—some say “NY,” others say “New York,” and some list office addresses with zip codes and floor numbers.

“You tell yourself: “We’ll clean it up later.”

“What you’ve really done is commit your future self to a much more expensive project.”

Garbage in, garbage out.

An example from the commerce world

Krassimir Boyanov of KBWEB Consult provides another example of a problem in his post “Why AEM Assets Smart Tagging Makes Your Marketing Work Easier.” Let’s say that you’re managing the images (the “assets”) that display on a company’s online website. You have thousands if not millions of images to manage. How do you find a particular image?

One way to do this is to “tag” each image with descriptive information.

But if you do it wrong, there will be problems.

Tagging is inconsistent. If 10 people are tagging the items, the tags will probably be inconsistent. While one person tags an item as a “car,” another may tag a similar item as an “automobile.” Although the two assets are similar, this is hidden because of inconsistent tag use.”

Again, garbage in, garbage out.

An organizational solution from the identity world

Lee and Boyanov approach these similar problems from two perspectives.

Lee, as an Identity and Access Management (IAM) expert, approaches this as a business problem and offers the following recommendations (among others):

Clean early, not late: Push for authoritative sources to normalize and codify the data before it hits the IAM system….

Push accountability upstream: Don’t accept ownership of fixing problems you don’t control. Instead, elevate the data issue to the right stakeholder (hint: HR, IT, or Legal).”

While Lee can certainly speak to the technologies that can normalize and codify the data, he prefers in this post to concentrate on the organizational issues that cause dirty data, and on how to prevent these issues from reoccurring in the future.

A technological solution from the commerce world

Boyanov can also speak to business and organizational issues as an Adobe Experience Manager consultant who has helped multiple organizations implement the Adobe product. But in this case he concentrates on a technological approach offered by Adobe:

A Taxonomy is a system of organizing tags based on shared characteristics, which are usually hierarchical structured per organizational need. The structure can help finding a tag faster or impose a generalization.
Example: There is a need to subcategorize stock imagery of cars. The taxonomy could look like:

/subject/car/
/subject/car/sportscar
/subject/car/sportscar/porsche
/subject/car/sportscar/ferrari

/subject/car/minivan
/subject/car/minivan/mercedes
/subject/car/minivan/volkswagen

/subject/car/limousine

Once the taxonomy is defined, assets can be tagged (preferably automatically) in accordance with the hierarchy.

Presumably David Lee’s identity world can similarly come up with a method to standardize addresses BEFORE they are added to an IAM system.

As deep as any ocean

Whether you’re dealing with a digital identity or a commercial asset, you need to ensure that you can find this asset in the future. This requires planning beforehand.

And a content creation project also requires planning beforehand, such as asking questions before beginning the project.

If you are an identity/biometric or technology firm that requires content creation, or perhaps proposal or analysis services, Bredemarket can help. After all, content creation is science…and art.

Talk to me: https://bredemarket.com/cpa/

CPA

The “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is Coming

As you may have noticed, I have talked about both deepfakes and synthetic identity ad nauseum.

But perhaps you would prefer to hear from someone who knows what they’re talking about.

On a webcast this morning, C. Maxine Most of The Prism Project reminded us that the “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is scheduled for publication in May 2025, just a little over a month from now.

As with all other Prism Project publications, I expect a report that details the identity industry’s solutions to battle deepfakes and synthetic identities, and the vendors who provide them.

And the report is coming from one of the few industry researchers who knows the industry. Max doesn’t write synthetic identity reports one week and refrigerator reports the next, if you know what I mean.

At this point The Prism Project is soliciting sponsorships. Quality work doesn’t come for free, you know. If your company is interested in sponsoring the report, visit this link.

While waiting for Max, here are the Five Tops

And while you’re waiting for Max’s authoritative report on deepfakes and synthetic identity, you may want to take a look at Min’s (my) views, such as they are. Here are my current “five tops” posts on deepfakes and synthetic identity.

Verifying That Credential

People can claim all sorts of accomplishments, but how do you verify (and authenticate) the truth?

The claimed credential

For those who don’t recall, I did a thing in 2021. Specifically, I achieved APMP® Bid and Proposal Management Foundation 2021 certification.

I even published the link to my certification. Here it is.

https://www.credly.com/badges/f177cbf8-e085-4fae-943a-1e418d86c872

Now if you click on that link, you will see a “Verify” link at the top left.

From Credly.

And if you click on that”Verify,” this is what you get.

The verification.

So I have verified that I am allowed to call myself John E. Bredehoft, CF APMP. It’s allowed:

In the same manner, those who have achieved one of the APMP certifications can append the appropriate certification. In the case of APMP Foundation certification, that means that I can style myself as “John E. Bredehoft, CF APMP.” (Or “John E. Bredehoft, MBA, CF APMP, RSBC” if I want to be thorough. But I probably won’t, since “RSBC” stands for “Radio Shack Battery Club.”)

But have I REALLY verified that I have achieved this accomplishment? (Not the battery club one, the proposal one. Although it would be good to know whether I really have that MBA educational accomplishment.)

The identity problem

You see, despite how impressive that Credly link is, it doesn’t prove nothing.

Sure, somebody who claimed to be John E. Bredehoft sat down in 2021 and took an online exam.

  • But was that person truly John E. Bredehoft?
  • And even if he was, am I the same John E. Bredehoft who received the certification?

Maybe there were fraudsters along the way. Maybe someone else took the test and pretended to be Bredehoft. Or maybe I’m not Bredehoft.

Sure, at one point I whipped out a credit card with Bredehoft’s name on it. But that doesn’t prove identity.

You probably know the things that prove identity. A biometric modality, including the liveness of that modality. A government-issued identity document that matches the biometric. A sensible location (was the test taker in Ontario, California as expected?).

Now perhaps this is overkill for authenticating a proposal writer, but it may not be if you need a certified plumber.

Or a certified lawyer.

Or a certified doctor.

The other problem

But there’s another problem with the whole thing, even if I am who I say I am.

Yes, my September 2021 achievement is verified.

And yes, the record was updated in January 2022.

But…to maintain a CF APMP certification, you need 20 Continuing Education Units (CEUs)/Continuing Professional Development (CPDs) every two years.

APMP continuing education requirements.

And because I truly am me, I know I didn’t meet the CEU/CPD requirement by September 2023. I don’t know how many I did achieve; the APMP was changing its CEU/CPD tracking system in early 2022, and then I joined Incode and theoretically wasn’t writing proposals any more. Theoretically.

So in truth, my shiny badge only represents a dated accomplishment. John E. Bredehoft can no longer use the CF APMP designation.

Unless I add “Emeritus” or something.

And as for those cases in which the certifications and identities truly matter…

Login.gov May Not Be Pining for the Fjords

My question regarding Login.gov’s future may have been answered.

You will recall that the General Service Administration’s 18F organization was unceremoniously shut down over the weekend. Since 18F was the original developer of Login.gov, it was unclear whether the government’s identity service had also fallen victim to the chopping block.

Well, Anthony Kimery of Biometric Update provided a…well, update. According to Thomas Shedd, who heads the GSA’s Technology Transformation Services (the organization in which the former 18F resided), we have nothing to worry about:

“‘“I can assure you that Login.gov’s work carries forward as a critical part of government-wide efforts to promote efficiency and fight fraud,’ Shedd wrote in a Monday email. ‘To that end we are working to accelerate Login’s roadmap. More to come on that soon.’”

So that’s the story as of this week…

How Does Private Sector Firm X Handle Identity Verification?

As I mentioned earlier, I don’t know if Login.gov is affected by the abrupt shutdown of GSA’s 18F. Was 18F still maintaining Login.gov code, or had the Login.gov folks established their own code maintenance, independent of the now-deprecated 18F?

Perhaps we will find out Monday.

But what if 18F were still responsible for Login.gov, which therefore is nearly impossible to update or maintain? 

No, Mark Cuban, DOGE will not contract with the ex-18F workers. DOGE doesn’t need them. Look at what they’ve already done with verifying identities.

IDV via SMS

For example, at the private sector company X, you cannot get a paid X Premium subscription unless you have a confirmed phone number. Because everybody knows that confirming identities via an SMS text message is a foolproof method.

Well, maybe not.

“According to information provided by Google, the decision to move away from SMS verification stems from numerous security vulnerabilities associated with text message codes. These include susceptibility to phishing attacks, where users might inadvertently share codes with malicious actors, and dependence on phone carriers’ security practices, which can vary widely in effectiveness.”

IDV via doc plus selfie

Now I’m not being fair to X, because X offers an identity verification procedure using a government issued ID…as a voluntary (not mandatory) service. It uses known third party providers (Au10tix, Persona, and Stripe as of February 2025) for IDV.

“X will provide a voluntary ID verification option for certain X features to increase the overall integrity and trust on our platform. We collect this data when X Premium subscribers optionally choose to apply for an ID verified badge by verifying their identity using a government-issued ID. Once confirmed, a verified label is added to the user’s profile for transparency and potentially unlocking additional benefits associated with specific X features in the future.”

But the public sector needs IDV

Identity verification isn’t mandatory on X because some people plain do not want it. Not because they’re crooks, but because they don’t want to hand their PII over to anyone if they don’t have to.

Of course, the Internal Revenue Service, the Social Security Administration, and many other government agencies HAVE to implement identity verification from Login.gov, ID.me, or some other provider.