digital identity – Page 2

When Social Platforms Convert Users Into Identity Verification Salespeople

(Imagen 4)

(Author’s preface: I was originally going to schedule this post for the middle of next week. But by the time I wrote it, the end of the post referenced a current event of astronomical proportions. Since said current event may be forgotten by the middle of next week, I am publishing it now.)

As a proponent of identity verification and a biometric product marketing expert I should like this…but I don’t.

I got the message and the message is clear

You get a message on a platform from someone you don’t know. The message may look something like this:

“John ,

“I hope this message finds you well. I came across your profile and was truly impressed by your background. While I’m not a recruiter, I’m assisting in connecting talented professionals with a startup that is working on a unique initiative.

“Given your experience, I believe you could be a fantastic fit for their senior consultant role. If you’re open to exploring this opportunity, I’d be happy to share more details and introduce you to the team directly. Please let me know if you’re interested!”

Let’s count the red flags in this message, which is one I actually received on May 30 from someone named David Joseph:

The author was truly impressed by my background, but didn’t cite any specifics about my background that impressed them. This exact same message could be sent to a biometric product marketing expert, a nuclear physicist, or a store cashier.
The author is not a recruiter, but a connector who will presumably pass me on to someone else. Why doesn’t the “someone else” contact me directly?
The whole unidentified startup working on a unique initiative story. Yes, some companies operate as stealth firms before revealing their corporate identity. Amway. Prinerica. Countless MLMs with bad reputations. Trust me, these initiatives are not unique.
That senior consultant title. Not junior consultant. Senior consultant. To make that envelope stuffing role even more prestigious.

I got the note and the note is even clearer

But I wasn’t really concerned with the message. I get these messages all the time.

So what concerned me?

The note attached to the message by the platform that hosted the message.

“Don’t know David? Ask David to verify their profile information before responding for added security.”

The platform, if you haven’t already guessed, is LinkedIn, the message a LinkedIn InMail.

Let’s follow the trail.

LinkedIn let “David” use the platform without verifying his identity or verifying that Randstad is truly his employer as his profile states.
LinkedIn sold “David” a bunch of InMail credits so that he could privately share this unique opportunity.
Now LinkedIn wants me to do its dirty work and say, “Hey David, why don’t you verify your profile?”

Now the one thing in LinkedIn’s favor is that LinkedIn—unlike Meta—lets its users verify their profiles for free. Meta charges you for this.

But again, why should I do LinkedIn’s dirty work?

Why doesn’t LinkedIn prevent users from sending InMails unless their profiles are verified?

The answer: LinkedIn makes a ton of money selling InMails to people without verified profiles. And thus makes money off questionable businesspeople and outright scammers.

Instead of locking down the platform and preventing scammers from joining the platform in the first place.

It’s like LinkedIn openly embraces scammers.

And everyone knows it.

Agentic AI NPEs, Ephemeral and Non-Individual

People are people, and why should it be that non-person entities (NPEs) are treated the same? The girl is NOT the robot.

Non-static

In a June 30 LinkedIn post, Eric Olden of Strata caused me to realize that my approach to NPEs is too uniform and needs to be more nuanced.

“Agentic identity isn’t just a new type of NHI. AI agents might functionally fall under the “non-human identity” umbrella—but that label doesn’t really cut it since we’re not talking about static service accounts or API keys.”

In a table published in the original post, Olden semantically defines NHIs as the persistent entities with unchanging privileges. Agentic identities, in Olden’s cosmos, are ephemeral.

But Olden identifies one additional distinction that has nothing to do with lifespan.

“AI agents are digital actors that can reason and make decisions across systems.”

Olden notes that the characteristics of agentic AI offer both power and risk.

Impermanent

ConductorOne shares Olden’s observations on agentic AI:

“Often ephemeral, existing for just seconds or minutes depending on the task.

“Requires role-based or task-specific access, rather than broad or persistent permissions.

“Capable of autonomous decision-making and executing actions in real-time.

“Built to integrate with existing systems and interact securely with other agents.

“Expands the potential for AI solutions by enabling action—not just insight or content.”

Unaccountable

So how do you set up individual accounts for these extremely powerful non-person entities that appear and disappear?

According to Juan Ignacio Torres Durán, you don’t.

“Modern architectures — cloud-native, ephemeral workloads, APIs, containers, robotic processes — don’t fit neatly into the account model. They’re fast, dynamic, and short-lived. They need access right now, based on who or what they are, where they run, and what they do.

“And here’s the shift: We don’t need to create an account for each of them. We just need to recognize the entity, validate it, and project a governed identity that can be used for access decisions.”

So no distinct individuality for NPEs. That’s an interesting…um…world.

(She’s Tidied Up and) I Can’t Find Anything

A wombat holding a phone displaying a digital identity, surrounded by papers with pictures of cars. Two Dolby speakers are in the back of the room.

Are you having trouble finding an asset such as a digital identity or a commercial asset? If you are, there are ways to make things easier to find.

An example from the identity world

Identity Jedi David Lee recently shared his thoughts on “The Hidden Cost of Bad Identity Data (and How to Fix It).” Lee didn’t focus on the biometric data, but instead on the textual data that is associated with a digital identity.

“Let’s say you’re kicking off a new identity program. You know you need user location to drive access policies, governance rules, or onboarding flows. But your authoritative source has location data in five different formats—some say “NY,” others say “New York,” and some list office addresses with zip codes and floor numbers.

“You tell yourself: “We’ll clean it up later.”

“What you’ve really done is commit your future self to a much more expensive project.”

Garbage in, garbage out.

An example from the commerce world

Krassimir Boyanov of KBWEB Consult provides another example of a problem in his post “Why AEM Assets Smart Tagging Makes Your Marketing Work Easier.” Let’s say that you’re managing the images (the “assets”) that display on a company’s online website. You have thousands if not millions of images to manage. How do you find a particular image?

One way to do this is to “tag” each image with descriptive information.

But if you do it wrong, there will be problems.

“Tagging is inconsistent. If 10 people are tagging the items, the tags will probably be inconsistent. While one person tags an item as a “car,” another may tag a similar item as an “automobile.” Although the two assets are similar, this is hidden because of inconsistent tag use.”

Again, garbage in, garbage out.

An organizational solution from the identity world

Lee and Boyanov approach these similar problems from two perspectives.

Lee, as an Identity and Access Management (IAM) expert, approaches this as a business problem and offers the following recommendations (among others):

“Clean early, not late: Push for authoritative sources to normalize and codify the data before it hits the IAM system….

“Push accountability upstream: Don’t accept ownership of fixing problems you don’t control. Instead, elevate the data issue to the right stakeholder (hint: HR, IT, or Legal).”

While Lee can certainly speak to the technologies that can normalize and codify the data, he prefers in this post to concentrate on the organizational issues that cause dirty data, and on how to prevent these issues from reoccurring in the future.

A technological solution from the commerce world

Boyanov can also speak to business and organizational issues as an Adobe Experience Manager consultant who has helped multiple organizations implement the Adobe product. But in this case he concentrates on a technological approach offered by Adobe:

A Taxonomy is a system of organizing tags based on shared characteristics, which are usually hierarchical structured per organizational need. The structure can help finding a tag faster or impose a generalization.
Example: There is a need to subcategorize stock imagery of cars. The taxonomy could look like:

/subject/car/
/subject/car/sportscar
/subject/car/sportscar/porsche
/subject/car/sportscar/ferrari
…
/subject/car/minivan
/subject/car/minivan/mercedes
/subject/car/minivan/volkswagen
…
/subject/car/limousine
…

Once the taxonomy is defined, assets can be tagged (preferably automatically) in accordance with the hierarchy.

Presumably David Lee’s identity world can similarly come up with a method to standardize addresses BEFORE they are added to an IAM system.

As deep as any ocean

Whether you’re dealing with a digital identity or a commercial asset, you need to ensure that you can find this asset in the future. This requires planning beforehand.

And a content creation project also requires planning beforehand, such as asking questions before beginning the project.

If you are an identity/biometric or technology firm that requires content creation, or perhaps proposal or analysis services, Bredemarket can help. After all, content creation is science…and art.

Talk to me: https://bredemarket.com/cpa/

CPA

The “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is Coming

As you may have noticed, I have talked about both deepfakes and synthetic identity ad nauseum.

But perhaps you would prefer to hear from someone who knows what they’re talking about.

On a webcast this morning, C. Maxine Most of The Prism Project reminded us that the “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is scheduled for publication in May 2025, just a little over a month from now.

As with all other Prism Project publications, I expect a report that details the identity industry’s solutions to battle deepfakes and synthetic identities, and the vendors who provide them.

And the report is coming from one of the few industry researchers who knows the industry. Max doesn’t write synthetic identity reports one week and refrigerator reports the next, if you know what I mean.

At this point The Prism Project is soliciting sponsorships. Quality work doesn’t come for free, you know. If your company is interested in sponsoring the report, visit this link.

While waiting for Max, here are the Five Tops

And while you’re waiting for Max’s authoritative report on deepfakes and synthetic identity, you may want to take a look at Min’s (my) views, such as they are. Here are my current “five tops” posts on deepfakes and synthetic identity.

March 17, 2025, “How Much Does Synthetic Identity Fraud Cost?“
March 11, 2025, “Update: A Little Harder to Create Voice Deepfakes?“
February 24, 2024, “Why Knowledge-Based Authentication Fails at Authentication.”
November 3, 2023, “Kelly Shepherd, #fakefakefake.”
August 15, 2023, “Communicating How Your Firm Fights Synthetic Identities.”

Verifying That Credential

People can claim all sorts of accomplishments, but how do you verify (and authenticate) the truth?

The claimed credential

For those who don’t recall, I did a thing in 2021. Specifically, I achieved APMP® Bid and Proposal Management Foundation 2021 certification.

I even published the link to my certification. Here it is.

https://www.credly .com/badges/f177cbf8-e085-4fae-943a-1e418d86c872

Now if you click on that link, you will see a “Verify” link at the top left.

And if you click on that”Verify,” this is what you get.

So I have verified that I am allowed to call myself John E. Bredehoft, CF APMP. It’s allowed:

In the same manner, those who have achieved one of the APMP certifications can append the appropriate certification. In the case of APMP Foundation certification, that means that I can style myself as “John E. Bredehoft, CF APMP.” (Or “John E. Bredehoft, MBA, CF APMP, RSBC” if I want to be thorough. But I probably won’t, since “RSBC” stands for “Radio Shack Battery Club.”)

But have I REALLY verified that I have achieved this accomplishment? (Not the battery club one, the proposal one. Although it would be good to know whether I really have that MBA educational accomplishment.)

The identity problem

You see, despite how impressive that Credly link is, it doesn’t prove nothing.

Sure, somebody who claimed to be John E. Bredehoft sat down in 2021 and took an online exam.

But was that person truly John E. Bredehoft?

And even if he was, am I the same John E. Bredehoft who received the certification?

Maybe there were fraudsters along the way. Maybe someone else took the test and pretended to be Bredehoft. Or maybe I’m not Bredehoft.

Sure, at one point I whipped out a credit card with Bredehoft’s name on it. But that doesn’t prove identity.

You probably know the things that prove identity. A biometric modality, including the liveness of that modality. A government-issued identity document that matches the biometric. A sensible location (was the test taker in Ontario, California as expected?).

Now perhaps this is overkill for authenticating a proposal writer, but it may not be if you need a certified plumber.

Or a certified lawyer.

Or a certified doctor.

The other problem

But there’s another problem with the whole thing, even if I am who I say I am.

Yes, my September 2021 achievement is verified.

And yes, the record was updated in January 2022.

But…to maintain a CF APMP certification, you need 20 Continuing Education Units (CEUs)/Continuing Professional Development (CPDs) every two years.

And because I truly am me, I know I didn’t meet the CEU/CPD requirement by September 2023. I don’t know how many I did achieve; the APMP was changing its CEU/CPD tracking system in early 2022, and then I joined Incode and theoretically wasn’t writing proposals any more. Theoretically.

So in truth, my shiny badge only represents a dated accomplishment. John E. Bredehoft can no longer use the CF APMP designation.

Unless I add “Emeritus” or something.

And as for those cases in which the certifications and identities truly matter…

Login.gov May Not Be Pining for the Fjords

My question regarding Login.gov’s future may have been answered.

You will recall that the General Service Administration’s 18F organization was unceremoniously shut down over the weekend. Since 18F was the original developer of Login.gov, it was unclear whether the government’s identity service had also fallen victim to the chopping block.

Well, Anthony Kimery of Biometric Update provided a…well, update. According to Thomas Shedd, who heads the GSA’s Technology Transformation Services (the organization in which the former 18F resided), we have nothing to worry about:

“‘“I can assure you that Login.gov’s work carries forward as a critical part of government-wide efforts to promote efficiency and fight fraud,’ Shedd wrote in a Monday email. ‘To that end we are working to accelerate Login’s roadmap. More to come on that soon.’”

So that’s the story as of this week…

How Does Private Sector Firm X Handle Identity Verification?

As I mentioned earlier, I don’t know if Login.gov is affected by the abrupt shutdown of GSA’s 18F. Was 18F still maintaining Login.gov code, or had the Login.gov folks established their own code maintenance, independent of the now-deprecated 18F?

Perhaps we will find out Monday.

But what if 18F were still responsible for Login.gov, which therefore is nearly impossible to update or maintain?

No, Mark Cuban, DOGE will not contract with the ex-18F workers. DOGE doesn’t need them. Look at what they’ve already done with verifying identities.

IDV via SMS

For example, at the private sector company X, you cannot get a paid X Premium subscription unless you have a confirmed phone number. Because everybody knows that confirming identities via an SMS text message is a foolproof method.

Well, maybe not.

“According to information provided by Google, the decision to move away from SMS verification stems from numerous security vulnerabilities associated with text message codes. These include susceptibility to phishing attacks, where users might inadvertently share codes with malicious actors, and dependence on phone carriers’ security practices, which can vary widely in effectiveness.”

IDV via doc plus selfie

Now I’m not being fair to X, because X offers an identity verification procedure using a government issued ID…as a voluntary (not mandatory) service. It uses known third party providers (Au10tix, Persona, and Stripe as of February 2025) for IDV.

“X will provide a voluntary ID verification option for certain X features to increase the overall integrity and trust on our platform. We collect this data when X Premium subscribers optionally choose to apply for an ID verified badge by verifying their identity using a government-issued ID. Once confirmed, a verified label is added to the user’s profile for transparency and potentially unlocking additional benefits associated with specific X features in the future.”

But the public sector needs IDV

Identity verification isn’t mandatory on X because some people plain do not want it. Not because they’re crooks, but because they don’t want to hand their PII over to anyone if they don’t have to.

Of course, the Internal Revenue Service, the Social Security Administration, and many other government agencies HAVE to implement identity verification from Login.gov, ID.me, or some other provider.

When a .gov Becomes an .org

When techies (the ones who developed Login.gov among other things) get fired from their government jobs, a website is sure to follow.

Here is how 18f.org begins:

“For over 11 years, 18F has been proudly serving you to make government technology work better. We are non-partisan civil servants. 18F has worked on hundreds of projects, all designed to make government technology not just efficient but effective, and to save money for American taxpayers.

“However, all employees at 18F – a group that the Trump Administration GSA Technology Transformation Services Director called “the gold standard” of civic tech – were terminated today at midnight ET.”

18F is Not a Female Who Can Vote (An Identity Verification Post)

If you are a government agency who uses Login.gov, or if you are a U.S. citizen who has a Login.gov account, I’m not sure about the future of the service.

Back in November 2023, I wrote a post that included the three letters “18F.” Specifically:

Obviously there are a number of private companies (over 80 last I counted) that provide secure access to information, but Login.gov is provided by the government itself—specifically by the General Services Administration’s Technology Transformation Services. Agencies at the federal, state, and local level can work with the GSA TTS’ “18F” organization to implement solutions such as Login.gov.

Now perhaps I’m, um, biased, but I happen to think that identity verification, whether performed by a public entity, is kinda sorta important.

Which is why I took notice when I saw Brian Krebs’ Saturday night LinkedIn post. Here’s a short excerpt:

This is from the executive director of the 18F, the digital services agency within the General Services Administration (GSA) that develops open-source tools to improve digital services across the federal government.

“I am the Executive Director of 18F and 18F’s longest running employee- I have been at 18F for 10 years. You may not have heard of us, but last night proved that we are powerful. The way the administration ran to get rid of us under the cover of night and shut us down without warning proves that they were scared. They are too afraid to even speak to us.”

Krebs also links to a FedScoop article.

The General Services Administration has eliminated its 18F program, an internal team of tech consultants and engineers that develops open-source tools to improve digital services across the federal government.

The announcement, which came overnight, is the latest in the Trump administration’s ongoing efforts to slash the federal workforce. It was foreshadowed weeks ago when Elon Musk, who’s become a highly influential and controversial voice in the White House, tweeted that the decade-old program had been “deleted.”

At this point I am not sure how this affects future updates to Login.gov. As far as I know the service itself remains operational.

To be continued? Or not continued?

My “Banking Changes” Post Needs an Update

Back in July 2023, I wrote a post about financial remote onboarding which included a section entitled “Three changes in banking over the last fifty years.” The first change I addressed was locational change.

The first crack in the whole idea of “going to the bank” was the ability to bank without entering the door of the bank…and being able to bank on Sunday at midnight if you felt like it. Yes, I’m talking about Automated Teller Machines (ATMs), where the “teller,” instead of being a person, was a bunch of metal and a TV screen.

But when I was recently reading a Bluesky post from mclevin that stated (correctly) that the decline in tellers didn’t start with artificial intelligence, but automated teller machines, it occurred to me that even the once-revolutionary ATM is itself outdated in financial terms.

Think about it.

What are the two most important functions of an ATM?

To deposit paper checks.
To obtain physical cash.

I think you see where this is going.

While the ATM still fulfills these functions today, how often do we receive paper checks? And even if we do, why go to a distant ATM to deposit the check when you can often perform the same function using your mobile phone?

And how often do we use cash to pay for things? Often we use a card…or a mobile phone.