Biometric (and other) authentication CAN be spoofed…but it isn’t easy

A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”

Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.

Just a picture of candy. Nothing special. By Jebulon – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=27753729

Well, until they come to the third paragraph of the article.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.

However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.

And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.

The multiple self interests of AFIS customers and vendors

In a prior post, I spent some time identifying the multiple stakeholders at a city police department (in my example, my hometown of Ontario, California) that is procuring an automated fingerprint identification system.

By Coolcaesar at the English-language Wikipedia, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=15739992

If I may recycle what I previously said, here are those stakeholders:

  • The field investigators who run across biometric evidence at the scene of a crime, such as a knife with a fingerprint on it or a video feed showing someone breaking into a liquor store.
  • The examiners who look at crime scene evidence and use it to identify individuals.
  • The people who capture biometrics from arrested individuals at livescan stations.
  • The information technologies (IT) people who are responsible for ensuring that Ontario, California’s biometric data is sent to San Bernardino County, the state of California, perhaps other systems such as the Western Identification Network, and the Federal Bureau of Investigation.
  • The purchasing agent who has to make sure that all of Ontario’s purchases comply with purchasing laws and regulations.
  • The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.
  • The mayor (Paul Leon as I write this), who has to deal with angry citizens asking why their catalytic converters are being stolen from their vehicles, and demanding to know what the mayor is doing about it.
  • Probably a dozen other stakeholders that I haven’t talked about yet, but who are influenced by the city’s purchasing decision.

Why is this important? And who are the multiple stakeholders OUTSIDE of the city police department?

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Minimum 4 posts per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

How livescan fingerprinting enrollment service providers win business

One of the tasks that I used to perform as an employee of IDEMIA was to track the state-by-state status of livescan fingerprinting enrollment services. And I soon discovered that enrollment services differed substantially from IDEMIA’s other major product lines.

This post describes the nuances in livescan fingerprinting enrollment services, the many players that are involved, the livescan technology, and (most importantly) how enrollment service providers win business.

Why enrollment services differ from driver’s license and AFIS services

At IDEMIA, I tracked the company’s presence in three major product lines (and a slew of others). And IDEMIA’s presence in each market differed depending upon the nuances of the markets.

  • For IDEMIA’s driver’s license services, there was only one provider for each state. Let’s face it, you can’t have two agencies issuing state driver’s licenses. (Although I guess this would satisfy someone’s libertarian fantasy.)
  • For IDEMIA’s automated fingerprint identification systems (AFIS), there was only one provider of law enforcement AFIS in each state. However, there were other statewide fingerprinting systems back in the days when fingerprints were used for welfare benefits, and a number of county and city law enforcement agencies had their own AFIS systems.
  • But for IDEMIA’s enrollment services, there could potentially be dozens or hundreds of small businesses that provided the service. All of this depended upon how the state authorized enrollment. In some states, only one private entity could provide enrollment services, while in some other states multiple private entities could do so.

Why we have enrollment services

So what are “enrollment services”? I’ll defer to my former employer IDEMIA and use the description from its IdentoGO website.

IdentoGO by IDEMIA provides a wide range of identity-related services with our primary service being the secure capture and transmission of electronic fingerprints for employment, certification, licensing and other verification purposes – in professional and convenient locations.

Of course IdentoGO isn’t the only “channeler” in town. A number of these small businesses that provide enrollment services are allied with Certifix Livescan, others with Thales (Gemalto), others with Fieldprint, others with Biometrics4All, and others with many other FBI-approved channelers.

And in some cases, you can go to your local police agency and have the police capture your fingerprints for enrollment purposes.

The Ripon (California) Police Department provides LiveScan fingerprinting service to the public. https://riponpd.org/?page_id=1226

The channelers, and the hundreds upon hundreds of local businesses that are supported by them, handle some or all of a variety of fingerprint verification tasks, including (depending upon the individual state or Federal regulations) banking, education, firearm permits, health care, insurance, legal services, real estate, social services, state employment, transportation, and many others.

  • The basic theory is that if you are, for example, applying for a banking position, your fingerprints are searched against the FBI’s fingerprint database to make sure you don’t have a prior fraud conviction.
  • Or if you’re applying for an education position, you weren’t previously convicted of committing a crime at a school or with children.
  • Or if you’re applying for a transportation position, those multiple drunk driving convictions may cause a problem.

You get the idea.

Who are the end enrollment service providers?

So who are these small business owners who offer these livescan fingerprinting enrollment services?

In most cases, enrollment services are an add-on to a small firm’s existing business.

  • Maybe the business is a travel agency, and it offers fingerprinting along with other travel-related services (such as passport photos).
  • Maybe the business is a tax preparation service.
  • Maybe it’s an insurance agency.

So the business buys or leases a desktop livescan station, aligns with one of the major channelers, gets the necessary state approvals (in California, from the Office of the Attorney General), and waits for the applicants to…well, apply.

Livescan fingerprint capture isn’t idiot-proof, but if I can do it, you probably can also

“But wait,” you may say. “Isn’t the capture of fingerprints a specialized process requiring substantial forensic knowledge?”

She’s not a CSI, but she played one on TV. By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=17752707

While you do need to take care to capture fingerprints correctly, livescan systems have dramatically improved in quality, allowing a travel agent or insurance agent to capture high-quality prints.

(I’ll let you in on a little secret: even the law enforcement officers who capture livescan prints from criminals don’t necessarily have years of experience in fingerprint capture.)

As someone who has worked with livescan systems since the mid 1990s, I can attest to the dramatic improvements in livescan technology. I wasn’t around in the early 1990s when Printrak and Digital Biometrics partnered to provide an AFIS-compatible livescan, but I was certainly around when Printrak introduced its own livescan, the LiveScan Station 2000 (LSS 2000), that competed with Digital Biometrics, Identix, and other livescan providers. (Today, former competitors Digital Biometrics, Identix, and Printrak are all part of a single company, IDEMIA.) The LSS 2000 used a Printrak-manufactured capture device attached to a computer running Digital UNIX.

By the time I became a product manager (not for livescans, but for AFIS servers), Motorola introduced two new livescan devices, the LiveScan Station 3000U and the LiveScan Station 3000N. (The “U” stood for Unix, the “N” for the Windows NT family.) The capture device for these two workstations was manufactured by Heimann Biometric Systems, which through a series of subsequent mergers is now part of HID Global.

When you’re an employee of a fingerprinting company, you’re often asked to participate in fingerprint scanner tests. (At least you were in the days before GDPR and CCPA.) So the livescan engineers decided to compare the capture quality of the LSS 2000, the LSS 3000U, and the LSS 3000N. I joined several others in participating in the scanner tests.

But I ran into a problem.

At the time that I participated in this scanner test, I had been working with paper for about two decades, and as a result of this and other things I have very light fingerprints. This isn’t an issue if you’re using a subdermal fingerprint capture system (Lumidigm, one manufacturer of such systems, was also acquired by HID Global), but it’s definitely an issue with the average optical system.

Oh, and did I mention that we were capturing our OWN fingerprints as part of this test? Rather than getting a trainer or someone with law enforcement experience to take our prints, this motley assemblage of marketers and engineers was following the DIY route.

With the result that the fingerprints that I captured on the LSS 2000 were pretty much unusuable.

But the later generation LSS 3000 prints looked a lot better. (I believe that the LSS 3000N prints were the best, which heralded the last hurrah for UNIX workstations in the AFIS world, as Windows computers proved their ability to perform AFIS work.)

And of course time has not stood still since those experiments in the early 2000s. (Although you can still buy a LiveScan 3000N today, for the price of $1.00.)

Today you can buy livescan stations that capture prints at 1000 pixels per inch (ppi), 4 times the resolution of the 500 ppi stations that were prevalent in the 1990s and early 2000s. And frankly, that are still prevalent today; most law enforcement agencies see no need to buy the more expensive 1000 ppi stations, so 500 ppi stations still prevail.

So how does a customer select a livescan fingerprinting enrollment service provider?

So let’s say a customer is applying for a position at a bank or at a school or somewhere else that asks for a fingerprint check. In the state of California, there’s not just one place that you can go to get this service. For example, there are probably a dozen or more enrollment service providers within a few miles of Bredemarket’s corporate headquarters in Ontario.

So how does a customer select a livescan fingerprinting enrollment service provider?

Well, customers do so just like they do with any other business.

IdentoGO Mobile Enrollment RV. https://www.identogo.com/mobile-enrollment-rv
  • Maybe they saw a picture of the IdentoGO RV and that caused “IdentoGO” to stick in their mind when searching for an enrollment service provider.
  • Or maybe they’re driving down a street in the neighborhood and they see a sign that mentions “livescan fingerprinting.”
  • Or maybe they’re on Facebook and see a page that promotes a specific livescan fingerprint enrollment service provider.

The key for the enrollment service provider, of course, is to make sure that your message stays top of customer’s mind when the time comes for the customer to need your service.

  • Your message needs to appear where the customer will see it.
  • Your message has to speak to the customer’s needs.
  • And your message must explain how to obtain the service. Does the customer have to make an appointment? If so, how does the customer make the appointment?

If the customer never sees your message, it’s going to be a lot harder for the customer to use your business. While the California Office of the Attorney General does include a list of all of the authorized livescan fingerprinting providers in California, and all of the various channelers maintain their own lists, neither the Attorney General nor your friendly channeler is going to necessarily direct someone to YOUR business.

You need to let your customers know of your existence, and WHY your service BENEFITS them as opposed to the service down the street.

Bredemarket can help.

If you provide livescan fingerprinting enrollment services and need experienced and knowledgeable help in getting your message out to your customers, contact me:

How 6 CFR 37 (REAL IDs) exhibits…federalism

The United States, like some other countries, reserves some responsibilities to lower subdivisions of the country, in this case the states. This concept is enshrined in the 10th Amendment to the Constitution:

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

The 10th Amendment basically means that unless the Constitution explicitly speaks on a matter, the states can do whatever they want. However, the Federal government still has ways of making the states obey its will.

States are NOT mandated to issue REAL IDs

If you look at the Code of Federal Regulations, Title 6, Volume 1, Chapter I, Part 37 (one online source here), you will see the official laws that govern the issuance of REAL ID Driver’s Licenses and Identification Cards. Part 37 is divided into several subparts:

  • General.
  • Minimum Documentation, Verification, and Card Issuance Requirements.
  • Other Requirements.
  • Security at DMVs and Driver’s License and Identification Card Production Facilities.
  • Procedures for Determining State Compliance.
  • Driver’s Licenses and Identification Cards Issued Under section 202(d)(11) of the REAL ID Act.

A pretty comprehensive list here. But that very first section, “General,” begins with the following:

Subparts A through E of this part apply to States and U.S. territories that choose to issue driver’s licenses and identification cards that can be accepted by Federal agencies for official purposes.

Note the word “choose,” and the phrase “accepted by Federal agencies for official purposes.” In essence, it is incorrect to say that states are MANDATED by law to issue REAL IDs. States have the power to choose NOT to issue REAL IDs, and the Federal government has no Constitutional power to force them to do so.

So many states DIDN’T issue REAL IDs

And for many years, many states of various political persuasions adopted that view. Whether “red” or “blue,” many states held to the belief that REAL ID was an unconscionable imposition on state sovereignty, and that Bush or Obama or Trump didn’t have the power to tell states what to do with their state driver’s licenses.

I ran into this personally in my proposal work. There was a brief period of time in which MorphoTrak was bidding on driver’s license opportunities (thus competing with our sister company MorphoTrust), and I remember reviewing a Request for Proposal (RFP) issued by one of the states. I won’t reveal the state, but the opening section of its RFP made very clear that the state was NOT asking vendors to implement Federal REAL ID regulations, or asking vendors to help the state issue REAL IDs.

So some states declined to participate in REAL ID efforts for years…and years.

And the Federal government couldn’t dictate that states issue REAL IDs.

So the Federal government said that states don’t HAVE to issue REAL IDs, but…

But the Federal government COULD dictate which IDs could be “accepted by Federal agencies for official purposes.”

  • Accepted IDs included passports, Federal government-issued identification cards, various other national IDs…and REAL IDs issued by the states. Other IDs issued by the states were not acceptable.
  • Official purposes included visiting a military base (Federal control, not state control), visiting your Congressperson’s office (Federal control, not state control)…and the big one, entering the secure areas of an airport (again, Federal control, not state control).
Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

So it’s pretty simple. If you want to get on a plane, even for a domestic flight, you have to pay $100 or so to get a passport. Well, unless your state happens to be one of the states that issues REAL IDs.

(Now large states with multiple major cities such as California and Texas could conceivably try to get around this by setting up a whole system of intrastate airports that only flew within the state, but that would be costly.)

Even with this, the REAL ID implementation date has been delayed several times (most recently due to COVID), but as of today, all 50 states and most U.S. territories are finally issuing REAL IDs, including the unnamed state (and others) that refused to even consider issuing REAL IDs a decade ago.

And that, my friends, is how the Federal government gets what it wants.

Even Apple is moving to a service model. Biometric identity vendors are moving also.

Remember when you bought a big old hunk of hardware…and you owned it?

With cloud computing, significant portions of hardware were no longer owned by companies and people, but were instead provided as a service. And the companies moved from getting revenue from selling physical items to getting revenue from selling services.

From Apple Computer to Apple

Apple is one of those companies, as its formal name change from “Apple Computer” signifies.

Then “Apple Computer” circa 1978. From https://www.macrumors.com/2020/03/23/apple-computer-retail-sign/. Fair use.

Yet even as iTunes and “the” App Store become more prominent, Apple still made a mint out of selling new smartphone hardware to users as frequently as possible.

But Apple is making a change later in 2021, and Adrian Kingsley-Hughes noted the significance of that change.

The change?

So, it turns out that come the release of iOS 15 (and iPadOS 15) later this year, users will get a choice.

Quite an important choice.

iPhone users can choose to hit the update button and go down the iOS 15 route, or play it safe and stick with iOS 14.

Why is Apple supporting older hardware?

So Apple is no longer encouraging users to dump their old phones to keep up with new operating systems like the forthcoming iOS 15?

There’s a reason.

By sticking with iOS 14, iPhone users will continue to get security updates, which keeps their devices safe, and Apple gets to keep those users in the ecosystem.

They can continue to buy content and apps and pay for services such as iCloud.

Although Kingsley-Hughes doesn’t explicitly say it, there is a real danger when you force users to abandon your current product and choose another. (Trust me; I know this can happen.)

In Apple’s case, the danger is that the users could instead adopt a SAMSUNG product.

And these days, that not only means that you lose the sale of the hardware, but you also lose the sale of the services.

It’s important for Apple to support old hardware and retain the service revenue, because not only is its services business growing, but services are more profitable than hardware.

In the fiscal year 2019, Apple’s services business posted gross margins of 63.7%, approaching double the 32.2% gross margin of the company’s product sector. 

If current trends continue, Apple’s services (iCloud, Apple Music, AppleCare, Apple Card, Apple TV+, etc.) will continue to become relatively more important to the company.

The biometric identity industry is moving to a service model also

Incidentally, we’re seeing this in other industries, for example as the biometric identity industry also moves from an on-premise model to a software as a service (SaaS) model. One benefit of cloud-based hosting of biometric identity services is that both software and the underlying hardware can be easily upgraded without having to go to a site, deploying a brand new set of hardware, transferring the data from one set of hardware to the other, and hauling away the old hardware. Instead, all of those activities take place at Amazon, Microsoft, or other data centers with little or no on-premise fuss.

(And, as an added benefit, it’s easier for biometric vendors to keep their current customers because obsolescence becomes less of an issue.)

Is your biometric identity company ready to sell SaaS solutions?

But perhaps your company is just beginning to navigate from on-premise to SaaS. I’ve been through that myself, and can contract with you to provide advice and content. I can wear my biometric content marketing expert hat, or my biometric proposal writing expert hat as needed.

The “T” stands for technology. Or something. By Elred at English Wikipedia – Transferred from en.wikipedia to Commons by Moe_Epsilon., Public Domain, https://commons.wikimedia.org/w/index.php?curid=3812206

Obviously this involves more than just saying “we’re cloud-ready.” Customers don’t care if you’re cloud-ready. Customers only care about the benefits that being cloud-ready provides. And I can help communicate those benefits.

If I can help you communicate the benefits of a cloud-ready biometric identity system, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail).

(Bredemarket Premium) The drawbacks of a FOCI-mitigated subsidiary

Those portions of the U.S. government that deal with critical infrastructure are naturally concerned about foreign encroachment into U.S. Government operations, even from “friendly” nations. Therefore, the U.S. Government takes steps to mitigate the effects of “Foreign Ownership, Control or Influence” (FOCI).

I’ve worked for two companies that needed to undertake FOCI mitigation, and I know of others that have also done this. And while FOCI mitigation offers benefits to the United States, there are also drawbacks of which everyone involved should be aware.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Minimum 4 posts per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

The Pandora’s Box of the “passwords are dead” movement

I’ve previously commented on the “passwords are dead” movement, and why I don’t agree that passwords are dead. But I recently realized that the “logic” behind the “passwords are dead” movement could endanger ALL forms of multi-factor authentication.

If I may summarize the argument, the “passwords are dead” movement is based upon the realization that passwords are an imperfect authentication method. People use obvious passwords, people re-use passwords, individuals don’t guard their passwords, and even companies don’t guard the passwords that they store. Because of these flaws, many passwords have been compromised over the years.

From this indisputable fact, the “passwords are dead” advocates have concluded that the best thing to do is to refrain from using passwords entirely, and to use some other authentication method instead (choosing from the five authentication factors).

In my spiral of people connections, the most frequently suggested replacement for passwords is biometrics. As a biometric content marketing expert and a biometric proposal writing expert, I’m certainly familiar with the arguments about the wonderfulness of biometric authentication.

But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.

So I guess “biometrics are dead” too, using the “passwords are dead” rationale.

And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.

So I guess “secure documents are dead” too.

Somewhere you are? Yeah, right. There are entire legitimate industries based upon allowing someone to represent that they are in one place when in fact they are in another place.

So I guess “geolocation is dead” too.

You see where this leads.

NO authentication method is perfect.

But just because an authentication method has imperfections doesn’t mean that it should be banned entirely. If you open the Pandora’s Box of declaring imperfect authentication methods “dead,” there will be NO authentication methods left.

Epimetheus opening Pandora’s Box. By Giulio Bonasone – This file was donated to Wikimedia Commons as part of a project by the Metropolitan Museum of Art. See the Image and Data Resources Open Access Policy, CC0, https://commons.wikimedia.org/w/index.php?curid=60859836

And before talking about multi-factor authentication, remember that it isn’t perfect either. With enough effort, a criminal could spoof multiple factors to make it look like someone with a spoofed face and a spoofed driver’s license is physically present at a spoofed location. Of course it takes more effort to spoof multiple factors of authentication…

…which is exactly the point. As security professionals already know, something that is harder to hack is less likely to be hacked.

“I don’t want to say multi-factor is terrible. All things considered, it is generally better than single-factor and we should strive to use it wherever it makes sense and is possible. However, if someone tells you something is unhackable, they’re either lying to you or dumb.”

And heck, be wild and throw a strong password in as ONE of the factors. Even weak passwords of sufficient length can take a long time to crack, provided they haven’t been compromised elsewhere.

Feel free to share the images and interactive found on this page freely. When doing so, please attribute the authors by providing a link back to this page and Better Buys, so your readers can learn more about this project and the related research.

Luckily, my experience extends beyond biometrics to other authentication methods, most notably secure documents and digital identity. And I’m familiar with multi-factor authentication methods that employ…well, multiple factors of authentication in various ways. Including semi-random presentation of authentication factors; if you don’t know which authentication factors will be requested, it’s that much harder to hack the authentication process.

Do you want to know more? Do you need help in communicating the benefits of YOUR authentication mechanism? Contact me.

Shorter and sweeter? The benefits of benefits for identity firms

Repurposing is fun.

Remember the four posts that I wrote earlier this week about communicating benefits to identity customers? Well, I just summarized all four of the posts on a single page on the Bredemarket website, The benefits of benefits for identity firms.

(And now I’m repurposing that page into a single, short blog post.)

The page concludes with a question:

Why is Bredemarket the best choice to help your identity firm communicate its benefits?

  • No identity learning curve.
  • I’ve probably communicated in the format you need.
  • I work with you.
  • I can package my offering to meet your needs.

For the complete page, click here. And if you are an identity firm that needs my services, contact me.

Communicating benefits (not features) to identity customers (Part 4 of 3)

[Link to part 1] | [Link to part 2] | [Link to part 3]

I knew I’d think of something else after I thought this whole post series was complete. But this post will be brief.

Benefit statements are not only affected by the target customers, but are also affected by the “personality” of the company stating the benefits.

As we all know, different companies use different tones of voice in their communications. A benefit statement from Procter & Gamble will read differently than a benefit statement from Apple, for example.

With that in mind, let’s turn to the example that I used in the third post in this series-namely, that the benefit of a one-second response time for computer aided dispatch (CAD) systems is that it keeps people from dying.

Death personified in Punch. By Punch Magazine – Original: Cartoon from Punch Magazine, Volume 35 Page 137; 10 July 1858 This copy: City and Water Blog, Public Domain, https://commons.wikimedia.org/w/index.php?curid=4465060

Not all companies are going to be that blunt about this particular benefit.

To my knowledge, SCC, Printrak, or Motorola have never explicitly talked about avoiding death as a benefit or their computer aided dispatch systems. Perhaps there IS a CAD company that does this, though.

This is why the development of benefit statements is often a collaborative affair, in part to ensure that the benefit statements align with the character of the company issuing them. Imagine the reaction if P&G promoted one of its soap products with a high-tech advertisement loudly proclaiming “PURPLE!” like the recent Apple ad.

Procter & Gamble ads are usually a bit more restrained.

Well, at least they used to be.

To be frank, Procter & Gamble is better at explicitly stating benefits than Apple is. Saving $100 a year on your energy bill is a benefit; purple is not. But Apple is communicating an implicit “Apple owners are cooler than mere mortals” benefit. Cold vs. cool, I guess, as well as an entirely different definition of “identity” that doesn’t rely on individualization. (If thousands of people have purple iPhones, this fact cannot be used to individually identify them.)

So you not only have to know your customer, but you need to know yourself so that you can describe benefits that are important to your customer in a voice that is accurate to your company’s “personality.”

This is why Bredemarket uses an iterative process in developing communications for its clients. If you’re an identity product/service provider that needs help in communicating customer benefits in proposals, case studies, white papers, blog posts, and similar written output, Bredemarket can implement such an iterative process to help you develop that output. Contact me.

Communicating benefits (not features) to identity customers (Part 3 of 3)

[Link to part 1] | [Link to part 2] | [Link to part 4]

NOTE: After publishing the second post in this series, but before publishing this third post, I ran across other people in the identity industry who were asking the “So what?” question, but from a strategic perspective rather than a sales enablement perspective. I discuss this in my personal JEBredCal blog, in this post.

This is a continuation of two previous posts. In the first and second posts in this series, I initially explained the difference between benefits and features, and why you sometimes have to act like an irritating two-year old to convert a feature into a benefit (the “so what?” test). I also explained how benefit statements need to be tailored to particular stakeholders, and how there can be many stakeholders even for a simple procurement.

I promised in the second post that I planned to dive into issues more specific to identity customers, such as when a two hour response time matters, when a one minute response time matters, and when a one second response time matters. Unfortunately, I spent so much time talking about all the stakeholders that I never got around to that particular question.

I promise that I’ll get into it right now.

Two hours vs. one minute vs. one second

You may remember that in the first post, I listed several things that some people thought were benefits, but were actually features. The final three items in that list were the following:

  • This product can complete its processing in less than two hours.
  • This product can complete its processing in less than a minute.
  • This product can complete its processing in less than a second.

These feature statements are very similar, yet at the same time very different. As you might have guessed, these feature statements are associated with three different products that are targeted to different markets.

Two hours: rapid DNA

I already alluded to the first of the three feature statements, two hour response time, in an earlier post in this series. Although I didn’t say so that the time, this is an important feature for the “rapid DNA” systems sold by Thermo Fisher Scientific and ANDE. These systems are used for multiple purposes, including

  • examining crime scene DNA evidence,
  • identifying deceased disaster victims, and
  • checking to see if arrested individuals are wanted for more serious crimes.

The two hour rapid DNA processing time offers different benefits for these different use cases.

  • As I previously stated in my first example of a “so what?” test, the ability to run rapid DNA at booking keeps dangerous criminals from being released by identifying those who are wanted for serious crimes.
  • A two hour processing time for crime scene evidence solves crimes more quickly, and again potentially puts dangerous criminals in jail more quickly.
  • A two hour response for disaster victim identification brings peace of mind to family members whose relatives may have perished in a disaster.

Depending upon the target audience, a rapid DNA vendor must tailor its benefit statements accordingly.

One minute: real time AFIS

Next, I want to look at the one minute response time, which is something that I used to talk about over twenty-five years ago when “real time AFIS” became a reality.

Because of the limitations of early computers, it used to take hours or days to compare the features from a latent fingerprint against the features of fingerprints in a database of known criminals. The old computers, even when souped up with special processing equipment such as hardware matchers and hardware fingerprint processors, took a long time to perform all of the calculations needed to compare a fingerprint’s features against hundreds of thousands of other fingerprint features.

Around the time that I joined Printrak, real time AFIS became a reality, where it became cost-effective and technologically feasible to size systems to deliver those fingerprint matching results in a minute. Today, the FBI’s Repository for Individuals of Special Concern (RISC) advertises that it can identify high-priority criminals within seconds.

At the time (1994), real time AFIS was a big deal, and the proposals that I helped to write emphasized that crimes could be solved more quickly (for latent/crime scene fingerprint searches), and individuals could be identified more quickly (for tenprint/booking searches).

One second: computer aided dispatch

To explain the third feature statement about one second response times, I have to fast forward three years to 1997, when the company then known as Printrak acquired the computer aided dispatch (CAD) and records management systems (RMS) unit of SCC Communications Corp. Printrak acquired other companies that year, but the SCC acquisition ended up being the most important, since it led to Printrak’s acquisition by Motorola.

(Allow me to go off on a tangent for a minute. When Motorola sold the biometric part of the business to Safran, it chose to retain the CAD and RMS portions, which remain part of Motorola Solutions’ portfolio today. One other tidbit: one of the key SCC people who joined Printrak at the time eventually left Motorola, and now works for rapid DNA vendor ANDE. As we Californians would say, it’s a small world after all.)

Now while there are some parallels between CAD and the systems then known as automated FINGERPRINT identification systems (AFIS), there are some key differences in the markets that the two products address. We on the AFIS side learned this the hard way when we introduced ourselves to our new colleagues.

“Hi, SCC folks, welcome to Printrak. You’re joining a company that sells REAL TIME AFIS that delivers results within one minute! Aren’t you impressed?”

A screenshot of computer-aided dispatch as being used by Toronto Fire Services. By Hillelfrei – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=88913432

The ex-SCC people responded, gently disabusing us of our pretensions to speed.

“Hello, new corporate overlords. We provide computer aided dispatch systems that send police, fire, and medical personnel to crime scenes and emergency sites as soon as possible. If our CAD systems took AN ENTIRE MINUTE to dispatch personnel, PEOPLE WOULD DIE. We use really powerful computers to get personnel dispatched in a second. Enjoy your real time AFIS…amateurs.”

So the company Printrak learned that it needed separate benefit statements, depending upon the product line the company was promoting at any given time. The CAD customers received one set of benefit statements, while the AFIS customers received a separate set.

Conclusion (finally)

In short, you have to know your customer so that you can describe benefits that are important to your customer.

And if you’re an identity product/service provider that needs help in communicating customer benefits in proposals, case studies, white papers, blog posts, and similar written output, Bredemarket can help. Contact me.