geolocation – Page 2

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
Something you have, such as a driver’s license, passport, or hardware or software token.
Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

Something you do, such as super-secret swiping patterns to unlock a device.
Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

The person may deserve access if they are an employee and arrive at the location during working hours.
That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.

There Are Patches to Protect from the PerfektBlue Automotive Vulnerability

(Imagen 4)

Why is the “PerfektBlue” (with a K) automotive vulnerability in the news?

And why are people more likely to read the cyber press alarms that emphasize the vulnerability, then the reports that emphasize the fix?

Unlike the cyber press, I will report the fix first.

OpenSynergy

For example, OpenSynergy, author of the Blue SDK for remote Bluetooth access to automobiles, issued this statement on July 9, 2025:

“OpenSynergy was notified In May 2024 by PCA Cyber Security (formerly PCAutomotive) about a couple of potential vulnerabilities (named PerfektBlue) in Blue SDK.

“We are pleased to confirm that corrections were applied and fixed the potential vulnerabilities, and relative patches were supplied to our customers in September 2024.”

PCA Cyber Security

Why was OpenSynergy addressing a 2024 vulnerability in 2025? Because the cybersecurity press is just now reporting on the vulnerability…because PCA Cyber Security intentionally refrained from publicizing it.

“[W]e reported all the findings to OpenSynergy in May, 2024. They acknowledged, and rolled out patches to the customers of BlueSDK in September, 2024. It was decided to wait until all of OpenSynergy customers applied the patches before this publication.

“To protect against PerfektBlue, you can update your system or disable the Bluetooth functionality entirely.”

CyberScoop

What can happen if you don’t patch your car? Here is what CyberScoop said:

“Successful exploitation of the infotainment system could theoretically provide attackers with access to GPS tracking, audio recording capabilities, and contact information. Researchers also note that weak network segmentation could potentially allow attackers to access other vehicle systems, though this would depend on additional vulnerabilities and the specific architecture of each vehicle.”

CyberScoop also clarified why the vulnerability wasn’t revealed back in September 2024 when the patches were released:

“[T]he complex nature of automotive supply chains has created challenges in patch distribution. Some original equipment manufacturers had not received the necessary updates as late as June 2025, nearly a year after the initial disclosure. This delay prompted the researchers to proceed with public disclosure while withholding the identity of the fourth manufacturer.”

The three identified manufacturers and systems are Mercedes-Benz’s NTG6 system, Volkswagen’s MEB ICAS3 unit, and Skoda’s MIB3 system.

Mercedes-Benz, Skoda, and Volkswagen

Oddly enough, I can’t find any statements from the three known manufacturers. You would think they would jump in front and say “here’s how to apply the patches”…or better still, “we have already applied the patches.”

But so far I haven’t found any manufacturer statements.

A missed opportunity.

Why?

People are more likely to read the cyber press alarms that emphasize the vulnerability, then the reports that emphasize the fix.

After all, gotta get those clicks.

Four Time-bound Geolocations = Identity?

(Imagen 4)

(Part of the biometric product marketing expert series)

Some don’t believe that geolocation is a valid factor of identity/verification/authentication.

Some do.

If you ignore what Yves-Alexandre de Montjoye et al said about the validity of 12 fingerprint minutiae points in their 2013 study (cited in phys.org), their conclusions about cell phone locations deserve consideration.

“By analyzing 15 months of cell phone mobility data from 1.5 million people, researchers have found that only four spatio-temporal points (an individual’s approximate whereabouts at the approximate time when they’re using their cell phone) are all that’s needed to uniquely identify 95% of the individuals.”

Why?

“[T]he researchers’ data shows that just four spatio-temporal points are needed to uniquely identify the mobility trace of an individual. In other words, it’s not likely that someone else will be in the same locations as you are at four different times of day.”

And once you perform multi-factor authentication by combining geolocation with another factor, such as an address or a social media post, privacy disappears.

And now a word from our sponsor.

Xona Space Systems and 3 Inch Geolocation Accuracy

Our existing GPS is good enough (when not jammed) for a person to drop a bomb, but not good enough for a non-person entity (NPE) to be behind the wheel of a large automobile. And you may ask yourself, “Where is that large automobile?”

“The satellite is the first of a planned constellation called Pulsar, which is being developed by California-based Xona Space Systems. The company ultimately plans to have a constellation of 258 satellites in low Earth orbit. Although these satellites will operate much like those used to create GPS, they will orbit about 12,000 miles closer to Earth’s surface, beaming down a much stronger signal that’s more accurate—and harder to jam.

“Reid and Manning began to think about how to build a space-based PNT [positioning, navigation, and timing] system that would do what GPS does but better, with accuracy of three inches (10 centimeters) or less and ironclad reliability in all sorts of challenging conditions.”

Quote from https://www.technologyreview.com/2025/06/06/1117978/inside-the-race-to-find-gps-alternatives/

Xona Space Systems website: https://www.xonaspace.com/

Deepfakes Slipping Through the Silos

(Imagen 4)

Sometimes common sense isn’t enough to stop deepfake fraud. Marc Ricker of iValt asserrts that a unified response helps also.

“Too often, network teams focus on availability, while security teams chase threats after the fact. That separation creates gaps — gaps that attackers exploit.”

Ricker’s solution:

“iVALT unifies remote access and identity security through:

Instant, passwordless biometric authentication

AI-resistant technology that stops deepfake and synthetic identity fraud”

iVALT trumpets the use of 5 factors: device ID, biometrics, geolocation, time window, and “app code.”

I was curious which biometric modalities and vendors iVALT supported, so I looked it up.
iVALT appears to use PingOne DaVinci, which orchestrates everything.
The only biometrics specifically mentioned by iVALT are those captured on a mobile phone.
But it’s unclear to me whether these are the biometrics captured by the phone’s operating system (for example, TouchID or FaceID on iOS), third party biometrics, or all of the above.

Of course, most people don’t care about the minutiae of supported biometric modalities.

But some do…because all biometric algorithms do NOT provide the same accuracy or performance.

Evading State Taxes: Non-Person Automotive Entities and Geolocation

When a person is born in the United States, they obtain identifiers such as a name and a Social Security Number.

When a non-person entity is “born,” it gets identifiers also. For automobiles, the two most common ones are a Vehicle Identification Number (VIN) and a license plate number. (There is also title, which I’ve discussed before, but that’s not really an identifier.)

In my country license plates and the associated vehicle registrations, like driver’s licenses, are issued at the state level. Montana, for example, has 2.3 million registered vehicles…which is odd, because the state only has 879,000 licensed drivers.

How can this be? Jalopnik explains:

“All that wealthy car owners have to do is spend around $1,000 to open an LLC in Montana, then use the LLC to purchase a car with no sales tax — and said car is not subject to vehicle inspections or emissions testing.”

That explains things. The Montana LLCs need multiple cars for all their LLC-related travel between Billings, Bozeman, and Butte. That’s a ton of miles on the Montana highways.

Um…no.

“According to Bloomberg, former Montana revenue director Dan Bucks said there are likely more than 600,000 vehicles registered in Montana but operated in other states.”

Like California. Where people don’t want to pay the fees associated with vehicle registration here, so they say their vehicles are Montana vehicles. Only problem is, license plate readers on California freeways can identify the movements of a car with Montana plates. And if that “Montana” car is moving in California, expect a visit from the tax authority.

But it’s not just the money hungry loony liberal Commies in California. Jalopnik reports that the money hungry loony liberal Commies in…um…Utah are mad also.

“This is really an abuse of our tax system,” said Utah tax commissioner John Valentine. “They pay nothing to support our state, just a small fee to Montana for the opportunity to evade taxes in Utah.”

Because in the end it doesn’t matter if you’re blue or red. What matters is the green. And the geolocation.

(2002 Ford Excursion image public domain)

Enrolling in the Amazon One Palm System via Smartphone

I think I’ve already mentioned that the Amazon Fresh in Upland, California is holding its grand opening in about an hour.

So I figured I should pre-investigate what was necessary to enroll in the Amazon One palm vein system once I arrived at the store.

My first discovery was that Amazon One has its own app, separate from the Amazon app. I don’t know how many apps Amazon has, but if Amazon and Meta ever merge (Amameta?), I will need a separate phone just for its apps.

So I downloaded Amazon One, linked it to my Amazon account, and waited for the instructions on how to enroll my palm at an Amazon location…

…only to find that Amazon One wanted to take pictures of both my palms, right there on my smartphone. Just like any contactless fingerprint app.

So I am now enrolled, and I have confirmed that my local Amazon Fresh accepts Amazon Go.

However, as even non-locals will realize, this is NOT 235 East Foothill, but WEST Foothill. So much for geolocation. (And the location of the Madonna of the Trail statue is wrong also, but I digress.)

Now let’s see if it all works.

When Beneficial Ownership Diverges From Legal Ownership

I recently discussed some proposed changes to the way in which beneficial ownership information (BOI) is collected. However, even after the changes are made, FinCEN will still collect BOI for foreign firms.

Hungary, facial recognition, and geolocation

Biometric Update recently published a story about facial recognition in Hungary, and its use to identify people who display rainbows and dress in ways “that diverge from the gender they were assigned at birth.” I’m going to zero in on one portion of the story: the facial recognition provider involved.

The company FaceKom has been around under different names since 2010 but has seen significant growth during the past few years thanks to investments from the Central European Opportunity Private Equity Fund (CEOM). The fund has no direct links with [Prime Minister Orbán’s son-in-law, István] Tiborcz. However, it is registered on the same address in Budapest where several companies owned by Orbán ‘s son-in-law operate.

Ah, geolocation! The Chi Fu Investment Fund Management Zrt.’s address of record is 1051 Budapest, Vörösmarty tér 2.

And do you know what else is at that address?

A Western Union Currency Exchange.

From https://interchangefx.com/branches/vorosmarty/.

Well, that’s enough to drive some conspiracy theorists crazy.

Beneficial ownership and legal ownership

So I didn’t find the smoking gun, but I do want to take this opportunity to point out what BENEFICIAL ownership is. Investopedia:

A beneficial owner is a person who enjoys the benefits of ownership even though the title to some form of property is in another name.

Using the Hungarian example (without the Western Union part), it’s not enough to say that CEOM and/or Chi Fu Investment Fund Management Zrt. (I don’t know enough Hungarian to confirm they are one and the same) does not list István Tiborcz (or Victor Orbán) as an official owner or co-owner.

As Unit21 points out, you don’t have to literally own (either on your own or through a trust) 25% of an entity to be a beneficial owner. Here’s another criterion of a beneficial owner:

Any individual that holds a significant ability to control, manage, or direct the legal entity

De facto control without de jure control could very well be wielded by a powerful politician, or his son-in-law.

(Imagen 3)

FinCEN, Cartels, and Geolocation

Who says that geolocation isn’t a critical factor for persons and non-person entities alike?

ComplyAdvantage alerted me to a Geographic Targeting Order from FinCEN.

“The GTO requires all money services businesses (MSBs) located in 30 ZIP codes across California and Texas near the southwest border to file Currency Transaction Reports (CTRs) with FinCEN at a $200 threshold, in connection with cash transactions.”

Of course, the targeted “cartels, drug traffickers, and other criminal actors along the Southwest border” can easily evade the reporting requirements by going a little north, east, or west. After all, there are more than 40,000 ZIP codes….

Delivery Packages and Geolocation in Residential Neighborhoods

Today’s musings concern delivery packages and geolocation, and may be pertinent if you receive a residential delivery this month. You know, maybe a present or something.

Let’s say you receive a package at your house, the delivery driver takes a picture of your package on your porch as proof of delivery…and the package is subsequently stolen by a porch pirate before you get it.

“Hey, you’re out of luck,” the company may say. “The package was delivered.”

How long will it be until security professionals advise you to NEVER EVER EVER HAVE RETAILERS DELIVER PACKAGES TO YOUR HOME? Use a locker or a staffed business address, but treat residential delivery as EVIL…just like public wi-fi.

Or perhaps expensive packages could be equipped with geotagging…like your luggage. I know that delivery companies hate geolocation as much as airlines do…but it’s a thought.

(Thanks to the anonymous victim of a porch pirate who inspired this. AI-generated image by Google Gemini.)