It’s the classic case of paralysis by overwhelmedness. (Not officially a word, but bear with me here.)
Your identity/biometric firm needs experienced product marketing contract help because you are drowning in work. But because you’re drowning in work you can’t take the time to set up that contract.
Bredemarket can help you contract with Bredemarket.
Now there are certain things that Bredemarket can’t do. Well, Bredemarket could do them, but you (understandably) won’t let me.
I can’t create my own contract with you. Actually I can, and I have with some clients, but your company probably requires that I use your contract, which I don’t have.
I can’t enroll myself as a vendor in your purchasing system. Trust me, that would be dangerous. Hmm…net 5 terms at $1,000 per hour?
I can’t onboard myself into your other internal systems. If I could, that would be a major security flaw.
But there are things that I can do to make your life easier when you onboard Bredemarket as a contractor/vendor…especially if you are an identity/biometric firm.
You don’t have to explain to me what a bifurcation or ridge ending are. I’ve been working with fingerprints since 1994 and know these things.
You don’t have to teach me how to spell NIST. While the 1985 interchange standard was before my time, I’m familiar with every ANSI/NIST standard since 1993 to the present day.
You don’t have to explain to me what a “factor” and a “modality” are. Heck, I wrote the book on factors and modalities.
You don’t have to create a briefing book. Just let me ask the questions and we’ll figure out the scope together.
So I can meet your partway. Then we’ll realize our mutual goal of making your products prominent and making the competitive products look weak.
So let’s talk and move the process forward.
Oh, and the title of this post was suggested by Google Gemini. AI is only a tool, but sometimes it’s a very effective tool. Sometimes.
Perhaps it’s different in Louisiana where the mDL is long established and supported, but in California the only place where I’ve used my mDL is at a TSA checkpoint. And last Friday I couldn’t even do that because the reader was down.
“As of mid-January 2026, the American Association of Motor Vehicle Administrators tracks 21 US states plus Puerto Rico issuing ISO/IEC 18013-5 compliant mobile driver’s licenses. That includes California, New York, Virginia, Arizona, and most of the largest population states. Industry analysis puts the figure at roughly 41 percent of Americans now living in a state with an active mDL program, and 76 percent in a state where the program is live or in development.”
So at least many of us can get mDLs. But as I noted, it’s a challenge to use them in-person, despite a standard outlining how it can be used.
“ISO/IEC 18013-5 covers proximity presentation. The mDL holder shows the credential to a verifier device that is physically nearby, typically over Bluetooth Low Energy or NFC. That works for airport security, in-person retail age checks, and traffic stops.”
Google Gemini.
But it’s a greater challenge to use mDLs online.
“It does not work for online onboarding because there is no proximity. For online flows, the standard is ISO/IEC TS 18013-7, published in 2025, which defines remote and online presentation. Adoption of Part 7 is, in the words of the people building these systems, “limited and inconsistent.””
Google Gemini.
This is where the benefit of decentralized identity falls apart. In a decentralized identity system, the user controls where the identity is stored. (I have two California mDLs on my phone, because decentralized is very decentralized.)
deepidv has concerns with this:
“Device-side verification means the cryptographic check that establishes whether the credential is authentic happens in an environment the relying party does not control. A rooted phone, a compromised app, a tampered SDK, a man-in-the-middle on the verification flow, all of these break the trust model. The relying party is being asked to trust a yes-no answer it cannot independently verify.”
deepidv describes server-side verification, as well as other issues with mDL adoption, in its LinkedIn article.
“Malware, rooted phones, tampered apps: User devices such as smartphones can pose risks to identity verification, as these environments are difficult to control against fraud.
“Regula says it has a solution. The identity verification firm has introduced server-side reprocessing of mobile driver’s license (mDL) data in its document reader software, Regula Document Reader SDK. The capability means that mDL data is processed on the backend in a controlled, trusted environment rather than relying solely on user devices, which also helps preserve the integrity of the identity signal across the verification flow. Data captured on the user’s device is revalidated through a PKI check and signature verification on the server.”
But will the decentralized identity people insist that server-side verification is evil? And how will the decentralized proponents convince others that a decentralized identity is really really secure?
If your company has a decentralized or centralized solution and you need to communicate its benefits to prospects, Bredemarket can work with you.
This morning I was attending a NIST webinar on mobile driver’s license use at financial institutions, and began looking at the services I could access in April 2026 with my California mobile driver’s license—financial and otherwise.
But today I learned that some services are NOT available with the mDL in my Apple Wallet, but ONLY while using the “CA DMV Wallet” app.
So I downloaded the app, which I last used in my initial unsuccessful attempt to obtain an mDL. (I finally used Apple’s facility to get one.) I assumed that since I already had my mDL in my Apple Wallet, it would automatically show up in the app.
You know what happens when you assume. My buddy Google Gemini pointed it out to me.
“It’s a common point of confusion, but the Apple Wallet and the CA DMV Wallet app are actually two separate “containers” for your digital ID. Because California uses a secure, decentralized system, your mDL doesn’t automatically sync between them. Even if it’s already in your Apple Wallet, you have to go through a separate enrollment process to “provision” it into the DMV’s official app.”
Which meant that I had to enroll again and get another decentralized mDL, which I did. (After some difficulty; it took four separate attempts to capture my facial image, which was only successful when I went into a very dark room.)
Now that my mDL is in this second wallet, I could go ahead an enroll in the TruAge program for age verification at a private retailer.
Google Gemini.
As I type this, TruAge hasn’t processed my application.
And now for a word from our sponsor
Mobile driver’s licenses are a digital form of “something you have,” which is a factor of identity verification and authentication.
Would you like to learn about all six of the identity verification and authentication factors? (Not three. Not five.)
Privacy regulations can change when you cross country or even city lines, and they can also change depending on who you are: an individual, a business, or a government agency.
On the other extreme, some entities in some jurisdictions must obtain express written consent. If I am a homeowner in Schaumburg, Illinois, and I use a doorbell camera to identify friends or foes approaching my door, the Biometric Information Privacy Act (BIPA) prohibits me from capturing their biometrics without their consent, and lets them sue me if I do it anyway.
Before you collect PII, check the laws in your jurisdiction first.
Oh, and check the laws in other jurisdictions in case they try to enforce their laws in your jurisdiction.
By the way: if you’re a software or hardware vendor, don’t assume that you bear no responsibility and that only your customer does.
You must educate your customers.
And Bredemarket can help you with my content-proposal-analysis services.
“I think too much knowledge is actually bad in tech: you’re biased.”
Why does this quote affect me so deeply? Because with my 30-plus years of identity/biometric experience, I obviously have too much knowledge of the industry, which is obviously bad. After all, all a biometric company needs is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else. The company doesn’t need someone who knows that Printrak isn’t spelled with a C.
Google Gemini.
In this post I will share three of the “biases” I have developed in my 30-plus years in identity and biometrics, and how to correct these biases by stripping away that 20th century experience and applying novel thinking.
And if that last paragraph made you throw up in your mouth…read to the end of the post.
But first, let’s briefly explore these three biases that I shamefully hold due to my status as a biometric product marketing expert:
Independent algorithmic confirmation is valuable.
Process is valuable.
Artificial intelligence is merely a tool.
Biometric product marketing expert.
Bias 1: Independent Algorithmic Confirmation is Valuable
But how do prospects know that these algorithms work? How accurate are they? How fast are they? How secure are they?
My bias
My brain, embedded with over 30 years of bias, gravitates to the idea that vendors should submit their algorithms for independent testing and confirmation.
From a NIST facial recognition demographic bias text.
This could be an accuracy test such as the ones NIST and DHS administer, or confirmation of presentation attack detection capabilities (as BixeLab, iBeta, and other organizations perform), or confirmation of injection attack detection capabilities.
Novel thinking
But you’re smarter than that and refuse to support the testing-industrial complex. They have their explicit or implicit agendas and want to force the biometric vendors to do well on the tests. For example, the U.S. Federal Bureau of Investigation’s “Appendix F” fingerprint capture quality standard specifically EXCLUDES contactless solutions, forcing everyone down the same contact path.
But you and your novel thinking reject these unnecessary impediments. You’re not going to constrain yourself by the assertions of others. You are going to assert your own benefits. Develop and administer your own tests. Share with your prospects how wonderful you are without going through an intermediary. That will prove your superiority…right?
Bias 2: Process is Valuable
A biometric company has to perform a variety of tasks. Raise funding. Hire people. Develop, market, propose, sell, and implement products. Throw parties.
How will the company do all these things?
My bias
My brain, encumbered by my experience (including a decade at Motorola), persists in a belief that process is the answer. The process can be as simple as scribblings on a cocktail napkin, but you need some process if you want to cash out in a glorious exit—I mean, deliver superior products to your customers.
Perhaps you need a development processs that defines, among other things, how long a sprint should be. A capture and proposal process (Shipley or simpler) that defines, among other things, who has the authority to approve a $10 million proposal A go-to-market process that defines the deliverables for different tiers, and who is responsible, accountable, consulted, and informed. Or maybe just an onboarding process when starting a new project, dictating the questions you need to ask at the beginning.
Bredemarket’s seven questions. I ask, then I act.
Novel thinking
Sure all that process is fine…if you don’t want to do anything. Do you really want to force your people to wait two weeks for the latest product iteration? Impose a multinational bureauracy on your sales process? Go through an onerous checklist before marketing a product?
Google Gemini.
Just code it.
Just sell it.
Just write it.
Bias 3: Artificial Intelligence is Merely a Tool
The problem with experienced people is that they think that there is nothing new under the sun.
You talk about cloud computing, and they yawn, “Sounds like time sharing.” You talk about quantum computing, and they yawn, “Sounds like the Pentium.” You talk about blockchain, and they yawn, “Sounds like a notary public.”
My bias
As I sip my Pepperidge Farm, I can barely conceal my revulsion at those who think “we use AI” is a world-dominating marketing message. Artificial intelligence is not a way of life. It is a tool. A tool that in and of itself does not merit much of a mention.
Google Gemini.
How many automobile manufacturers proclaim “we use tires” as part of their marketing messaging? Tires are essential to an automobile’s performance, but since everyone has them, they’re not a differentiator and not worthy of mention.
In the same way, everyone has AI…so why talk about its mere presence? Talk about the benefits your implementation provides and how these benefits differentiate you from your competitors.
Novel thinking
Yep, the grandpas that declare “AI is only a tool” are missing the significance entirely. AI is not like a Pentium chip. It is a transformational technology that is already changing the way we create, sell, and market.
Therefore it is critically important to highlight your product’s AI use. AI isn’t a “so what” feature, but an indication of revolutionary transformative technology. You suppress mention of AI at your own peril.
How do I overcome my biases of experience?
OK, so I’ve identified the outmoded thinking that results from too much experience. But how do I overcome it?
I don’t.
Because if you haven’t already detected it, I believe that experience IS valuable, and that all three items above are essential and shouldn’t be jettisoned for the new, novel, and kewl.
Are you a identity/biometric marketing leader who needs to tell your prospects that your algorithms are validated by reputable independent bodies?
Or that you have a process (simple or not) that governs how your customers receive your products?
Or that your AI actually does unique things that your competitors don’t, providing true benefits to your customers?
Bredemarket can help with strategy, analysis, content, and/or proposals for your identity/biometric firm. Talk to me (for free).
By the way, here’s MY process (and my services and pricing).
Why do scammers target anti-fraud experts? Because sometimes we’re dumb too.
But in this case I didn’t fall for the two deepfake recruiters who emailed me yesterday.
However, I have some concerns about the REAL recruiters that the fraudsters were impersonating.
Deepfake recruiter 1, the Senior Vice President
The first fraudster emailed me early Tuesday morning California time:
Hi John,
I hope you’re doing well. My name is Ethan [REDACTED LAST NAME SPELLED WITH AN “E”], Senior Vice President at Aerotek, a national staffing and recruiting firm.
I’m reaching out regarding a confidential, retained search for a Senior Product Marketing Leader with a real, actively operating company in the identity verification and biometrics space. Your background in product marketing, go-to-market strategy, and competitive intelligence across identity technology firms stood out strongly during our shortlist review.
This role is ideal for leaders who drive product launches, shape competitive positioning, and accelerate growth in B2B/B2G SaaS environments.
If this aligns with what you’re exploring, I’d be happy to share the full role brief.
Best regard Ethan [REDACTED LAST NAME SPELLED WITH AN “A”]
When a Senior Vice President can’t spell his own last name consistently, that’s a warning flag.
When said Senior Vice President emails me from ethan.aerotek.desk2@gmail.com, that’s another.
Turns out Ethan is a U.S. based person employed by Aerotek, with the same picture used in the Gmail account (which I guess qualifies this as a “deepfake”), but he is a Recruiter, not a Senior Vice President.
So I messaged the real Ethan on LinkedIn early Tuesday morning, reproducing the email message above and prepending it with:
Ethan, I received this from a Gmail address
Replying to the fake recruiter
Then I responded to the email from the fake Ethan:
Ethan, I have contacted you via LinkedIn. Please provide your Aerotek email address. Your client will understand.
My final comment probably went over the fake Ethan’s head, but any identity verification company would clearly understand why a candidate would insist on an Aerotek address rather than a Gmail address. Except in certain circumstances that I’ll address later.
And of course Aerotek would be very concerned about fraudsters impersonating real Aerotek employees…or so you’d think.
Back to the fake, who responded a few minutes later. Oddly enough, even though Ethan is U.S.-based, this email indicated that my reply was received in a time zone eight hours ahead of the Pacific Time Zone. Anyway, here’s the fake Ethan’s non-surprising response.
Thank you for reaching out. I’ve been experiencing some technical issues with LinkedIn this week, so I appreciate you continuing the conversation here.
This is the usual tactic employed by scammers. Stay off reputable platforms such as LinkedIn and move the conversation to another platform, in this case email. At least fake Ethan didn’t direct me to WhatsApp or Telegram.
As of Wednesday morning I left both conversations there. I didn’t reply to the fake Ethan’s latest email, and the real Ethan didn’t reply to my messsage.
And that’s a problem.
Concerns about the real recruiter
As I mentioned earlier, Aerotek obviously doesn’t want fraudsters impersonating their employees. And Aerotek employees certainly don’t want fraudsters impersonating them and lifting their facial images for fake Gmail accounts.
But the real Ethan apparently hasn’t checked his LinkedIn account in over 24 hours, and is completely unaware that a fraudster is impersonating him.
Causing damage to him and his employer.
If you’re a recruiter (or any professional) and you have a LinkedIn account, check it regularly. You don’t know what you’re missing.
But let’s move on to deepfake 2: technically not a deepfake since the fraudster only appropriated a name and not a likeness, but worrisome all the same.
Deepfake recruiter 2, the independent and invisible recruiter
The second fraudster emailed me late in the afternoon California time.
Hello John,
I hope you’re doing well.
I recently came across your background in B2B/B2G SaaS product marketing, particularly your work across identity, biometrics, and broader technology markets. Your experience driving product launches, developing go-to-market strategy, and building high-impact content and competitive intelligence frameworks really stood out.
I’m currently supporting a respected technology organization operating at the intersection of SaaS, cybersecurity, and identity, and your ability to bridge complex technical solutions with clear market positioning aligns closely with what they’re looking for.
Given your track record of both strategic thinking and execution (“ask, then act” definitely came through), I believe you could be a strong fit for this opportunity.
If you’re open to exploring, I’d be happy to share a brief overview of the role and why I feel it aligns well with your background.
Looking forward to hearing your thoughts.
Again this person emailed me from a Gmail address, consisting of the person’s name with an appended “8.”
Finding the real recruiter
So I checked out this person also, and discovered a few things.
This is also a real person, based in Europe. So she supposedly sent this email after midnight her time.
The real recruiter DOES have a Gmail address, but without the “8.” Why? Because the person is NOT employed by a huge recruiting firm such as Aerotek, but is a self-employed recruiting specialist. So it’s understandable that the real recruiter has a Gmail address. But as we will see, not advisable.
Her company name is her name with the word “Consulting” appended, according to her personal LinkedIn profile.
So I messaged the real recruiter with the message “Possible scam artist” and the email address (with the “8”) that sent the message.
Replying, and not replying, to the fake recruiter
About an hour later (now well after midnight European time), I received a second email from the fake recruiter that didn’t reference my reply to the first one.
Hello John,
I hope you’re doing well.
I recently came across your background in B2B/B2G SaaS product marketing, and your work across identity, biometrics, and go-to-market strategy really stood out—particularly your experience positioning complex technologies like IAM, biometrics, and AI-driven solutions.
Your track record in product launches, competitive intelligence, and building high-impact content at scale aligns closely with what we’re currently prioritizing.
I’m supporting a respected technology organization that is expanding its product marketing leadership team, and based on your experience, you could be a strong fit—especially given your depth across both public sector (B2G) and commercial (B2B) environments.
If you’re open to exploring, I’d be happy to share a brief overview of the role and why I believe it aligns well with your background.
Looking forward to hearing your thoughts.
I didn’t bother to reply to the second email from the fake recruiter, or to notify the real recruiter of the second email.
Eventually I received a reply to my first email early Wednesday morning…oddly enough, indicating that the fake was in the Pacific Time Zone, not Europe. (Note to scammers: change your computer and software settings so that your time zone matches the time zone of the person you’re impersonating.)
Here’s how the reply began:
Thank you for your message here—and I did see your note on LinkedIn as well. Apologies for the slight delay in getting back to you, I was tied up attending to a few things earlier.
Yeah, sure you saw my LinkedIn InMail.
Anyway, forget about the scammer. Let’s look at the real recruiter.
Concerns about the real recruiter
As I mentioned, the real recruiter has a personal LinkedIn profile and a Gmail address.
And that’s it.
I couldn’t find a LinkedIn company page for her consulting company.
A couldn’t find a website for her consulting company.
In fact, the ONLY reference I found to her consulting company was her personal LinkedIn page.
And that’s a problem.
The fact that she has no LinkedIn posts and no LinkedIn recommendations is another.
Now I’ll grant that many consultants get their business from word-of-mouth. Bredemarket certainly does.
But the only publicly-known way to contact THIS consultant is via email or LinkedIn InMail.
And as of now she hasn’t checked her InMail in over 12 hours.
What if she were to lose access to her LinkedIn account?
If you’re an independent recruiting consultant, own your own website, and don’t depend upon someone else’s social platform.
That’s one reason why Bredemarket offers several ways to reach me, most importantly the contact mechanisms available on my own website, free of the control of Microsoft, Meta, or any other company that could yank my access at the drop of a hat.
But there are others.
Bredemarket’s active platforms as of March 29, 2026.
So if you have content or other needs…such as the need to create content to publicize your recruiting consultancy…why don’t you talk to me?
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
In essence, the lattice structure allows more elaborate access rights.
This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:
“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”
It then says
“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”
Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.
But it appears that we sometimes don’t care about the intent of AI agents.
“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”
This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).
Back in 2024 I wrote about contraction in the identity/biometric industry.
In retrospect, that industry has been lucky.
At the time I wrote this (yes, this is a scheduled post), I knew of few if any identity/biometric companies that had “right sized” half its staff. 10% maybe, but not 50%.
When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
Bredemarket 