Tag Archives: identity

Verifying That Credential

People can claim all sorts of accomplishments, but how do you verify (and authenticate) the truth?

The claimed credential

For those who don’t recall, I did a thing in 2021. Specifically, I achieved APMP® Bid and Proposal Management Foundation 2021 certification.

I even published the link to my certification. Here it is.

https://www.credly.com/badges/f177cbf8-e085-4fae-943a-1e418d86c872

Now if you click on that link, you will see a “Verify” link at the top left.

From Credly.

And if you click on that”Verify,” this is what you get.

The verification.

So I have verified that I am allowed to call myself John E. Bredehoft, CF APMP. It’s allowed:

In the same manner, those who have achieved one of the APMP certifications can append the appropriate certification. In the case of APMP Foundation certification, that means that I can style myself as “John E. Bredehoft, CF APMP.” (Or “John E. Bredehoft, MBA, CF APMP, RSBC” if I want to be thorough. But I probably won’t, since “RSBC” stands for “Radio Shack Battery Club.”)

But have I REALLY verified that I have achieved this accomplishment? (Not the battery club one, the proposal one. Although it would be good to know whether I really have that MBA educational accomplishment.)

The identity problem

You see, despite how impressive that Credly link is, it doesn’t prove nothing.

Sure, somebody who claimed to be John E. Bredehoft sat down in 2021 and took an online exam.

  • But was that person truly John E. Bredehoft?
  • And even if he was, am I the same John E. Bredehoft who received the certification?

Maybe there were fraudsters along the way. Maybe someone else took the test and pretended to be Bredehoft. Or maybe I’m not Bredehoft.

Sure, at one point I whipped out a credit card with Bredehoft’s name on it. But that doesn’t prove identity.

You probably know the things that prove identity. A biometric modality, including the liveness of that modality. A government-issued identity document that matches the biometric. A sensible location (was the test taker in Ontario, California as expected?).

Now perhaps this is overkill for authenticating a proposal writer, but it may not be if you need a certified plumber.

Or a certified lawyer.

Or a certified doctor.

The other problem

But there’s another problem with the whole thing, even if I am who I say I am.

Yes, my September 2021 achievement is verified.

And yes, the record was updated in January 2022.

But…to maintain a CF APMP certification, you need 20 Continuing Education Units (CEUs)/Continuing Professional Development (CPDs) every two years.

APMP continuing education requirements.

And because I truly am me, I know I didn’t meet the CEU/CPD requirement by September 2023. I don’t know how many I did achieve; the APMP was changing its CEU/CPD tracking system in early 2022, and then I joined Incode and theoretically wasn’t writing proposals any more. Theoretically.

So in truth, my shiny badge only represents a dated accomplishment. John E. Bredehoft can no longer use the CF APMP designation.

Unless I add “Emeritus” or something.

And as for those cases in which the certifications and identities truly matter…

How Much Does Synthetic Identity Fraud Cost?

Identity firms really hope that prospects understand the threat posed by synthetic identity fraud, or SIF.

I’m here to help.

(Synthetic identity AI image from Imagen 3.)

Estimated SIF costs in 2020

In an early synthetic identity fraud post in 2020, I referenced a Thomson Reuters (not Thomas Reuters) article from that year which quoted synthetic identity fraud figures all over the map.

  • My own post referenced the Auriemma Group estimate of a $6 billion cost to U.S. lenders.
  • McKinsey preferred to use a percentage estimate of “10–15% of charge offs in a typical unsecured lending portfolio.” However, this may not be restricted to synthetic identity fraud, but may include other types of fraud.
  • Thomson Reuters quoted Socure’s Johnny Ayers, who estimated that “20% of credit losses stem from synthetic identity fraud.”

Oh, and a later post that I wrote quoted a $20 billion figure for synthetic identity fraud losses in 2020. Plus this is where I learned the cool acronym “SIF” to refer to synthetic identity fraud. As far as I know, there is no government agency with the acronym SIF, which would of course cause confusion. (There was a Social Innovation Fund, but that may no longer exist in 2025.)

Never Search Alone, not National Security Agency. AI image from Imagen 3.

Back to synthetic identity fraud, which reportedly resulted in between $6 billion and $20 billion in losses in 2020.

Estimated SIF costs in 2025

But that was 2020.

What about now? Let’s visit Socure again:

The financial toll of AI-driven fraud is staggering, with projected global losses reaching $40 billion by 2027 up from US12.3 billion in 2023 (CAGR 32%)., driven by sophisticated fraud techniques and automation, such as synthetic identities created with AI tools​.

Again this includes non-synthetic fraud, but it’s a good number for the high end. While my FTC fraud post didn’t break out synthetic identity fraud figures, Plaid cited a 2023 $1.8 billion figure for the auto industry alone, and Mastercard cited a $5 billion figure.

But everyone agrees on a figure of billions and billions.

The real Carl Sagan.
The deepfake Carl Sagan.

(I had to stop writing this post for a minute because I received a phone call from “JP Morgan Chase,” but the person didn’t know who they were talking to, merely asking for the owner of the phone number. Back to fraud.)

Reducing SIF in 2025

In a 2023 post, I cataloged four ways to fight synthetic identity fraud:

  1. Private databases.
  2. Government documents.
  3. Government databases.
  4. A “who you are” test with facial recognition and liveness detection (presentation attack detection).

Ideally an identity verification solution should use multiple methods, and not just one. It doesn’t do you any good to forge a driver’s license if AAMVA doesn’t know about the license in any state or provincial database.

And if you need an identity content marketing expert to communicate how your firm fights synthetic identities, Bredemarket can help with its content-proposal-analysis services.

Find out more about Bredemarket’s “CPA” services.

Login.gov May Not Be Pining for the Fjords

My question regarding Login.gov’s future may have been answered.

You will recall that the General Service Administration’s 18F organization was unceremoniously shut down over the weekend. Since 18F was the original developer of Login.gov, it was unclear whether the government’s identity service had also fallen victim to the chopping block.

Well, Anthony Kimery of Biometric Update provided a…well, update. According to Thomas Shedd, who heads the GSA’s Technology Transformation Services (the organization in which the former 18F resided), we have nothing to worry about:

“‘“I can assure you that Login.gov’s work carries forward as a critical part of government-wide efforts to promote efficiency and fight fraud,’ Shedd wrote in a Monday email. ‘To that end we are working to accelerate Login’s roadmap. More to come on that soon.’”

So that’s the story as of this week…

How Does Private Sector Firm X Handle Identity Verification?

As I mentioned earlier, I don’t know if Login.gov is affected by the abrupt shutdown of GSA’s 18F. Was 18F still maintaining Login.gov code, or had the Login.gov folks established their own code maintenance, independent of the now-deprecated 18F?

Perhaps we will find out Monday.

But what if 18F were still responsible for Login.gov, which therefore is nearly impossible to update or maintain? 

No, Mark Cuban, DOGE will not contract with the ex-18F workers. DOGE doesn’t need them. Look at what they’ve already done with verifying identities.

IDV via SMS

For example, at the private sector company X, you cannot get a paid X Premium subscription unless you have a confirmed phone number. Because everybody knows that confirming identities via an SMS text message is a foolproof method.

Well, maybe not.

“According to information provided by Google, the decision to move away from SMS verification stems from numerous security vulnerabilities associated with text message codes. These include susceptibility to phishing attacks, where users might inadvertently share codes with malicious actors, and dependence on phone carriers’ security practices, which can vary widely in effectiveness.”

IDV via doc plus selfie

Now I’m not being fair to X, because X offers an identity verification procedure using a government issued ID…as a voluntary (not mandatory) service. It uses known third party providers (Au10tix, Persona, and Stripe as of February 2025) for IDV.

“X will provide a voluntary ID verification option for certain X features to increase the overall integrity and trust on our platform. We collect this data when X Premium subscribers optionally choose to apply for an ID verified badge by verifying their identity using a government-issued ID. Once confirmed, a verified label is added to the user’s profile for transparency and potentially unlocking additional benefits associated with specific X features in the future.”

But the public sector needs IDV

Identity verification isn’t mandatory on X because some people plain do not want it. Not because they’re crooks, but because they don’t want to hand their PII over to anyone if they don’t have to.

Of course, the Internal Revenue Service, the Social Security Administration, and many other government agencies HAVE to implement identity verification from Login.gov, ID.me, or some other provider.

When a .gov Becomes an .org

When techies (the ones who developed Login.gov among other things) get fired from their government jobs, a website is sure to follow.

Here is how 18f.org begins:

“For over 11 years, 18F has been proudly serving you to make government technology work better. We are non-partisan civil servants. 18F has worked on hundreds of projects, all designed to make government technology not just efficient but effective, and to save money for American taxpayers.

“However, all employees at 18F – a group that the Trump Administration GSA Technology Transformation Services Director called “the gold standard” of civic tech – were terminated today at midnight ET.”

18F is Not a Female Who Can Vote (An Identity Verification Post)

If you are a government agency who uses Login.gov, or if you are a U.S. citizen who has a Login.gov account, I’m not sure about the future of the service.

Back in November 2023, I wrote a post that included the three letters “18F.” Specifically:

Obviously there are a number of private companies (over 80 last I counted) that provide secure access to information, but Login.gov is provided by the government itself—specifically by the General Services Administration’s Technology Transformation Services. Agencies at the federal, state, and local level can work with the GSA TTS’ “18F” organization to implement solutions such as Login.gov.

Now perhaps I’m, um, biased, but I happen to think that identity verification, whether performed by a public entity, is kinda sorta important.

Which is why I took notice when I saw Brian Krebs’ Saturday night LinkedIn post. Here’s a short excerpt:

This is from the executive director of the 18F, the digital services agency within the General Services Administration (GSA) that develops open-source tools to improve digital services across the federal government.

“I am the Executive Director of 18F and 18F’s longest running employee- I have been at 18F for 10 years. You may not have heard of us, but last night proved that we are powerful. The way the administration ran to get rid of us under the cover of night and shut us down without warning proves that they were scared. They are too afraid to even speak to us.”

Krebs also links to a FedScoop article.

The General Services Administration has eliminated its 18F program, an internal team of tech consultants and engineers that develops open-source tools to improve digital services across the federal government. 

The announcement, which came overnight, is the latest in the Trump administration’s ongoing efforts to slash the federal workforce. It was foreshadowed weeks ago when Elon Musk, who’s become a highly influential and controversial voice in the White House, tweeted that the decade-old program had been “deleted.” 

At this point I am not sure how this affects future updates to Login.gov. As far as I know the service itself remains operational.

To be continued? Or not continued?

Writing Samples I (Mostly) Can’t Share Publicly

So a Bredemarket prospect requested samples of my internal and external sales enablement content, so they could evaluate my writing style.

There were only two problems with the request.

  • First, I can’t provide samples of internal content for other clients. Even privately. Because they’re…internal.
  • Second, reviewing samples of my external content gives no hint of my writing style, since I adjust my writing style to my clients.

But I provided external samples of what I do anyway: two client short data sheets, three client long data sheets, three Bredemarket data sheets, two client landing pages, one Bredemarket landing page, and two other samples.

So I will share one of the landing pages with you, but not a client one. This is one of mine, for Bredemarket’s identity/biometric prospects.

Drive Content Results with Bredemarket Identity Firm Services

People for Sale

News about iProov. According to Metropoler, the company discovered a dark web group in Latin America. 

The group is

“amassing a substantial collection of identity documents and corresponding facial images, specifically designed to defeat Know Your Customer (KYC) verification processes. Rather than traditional theft, these identities may have been obtained through compensated participation, with individuals willingly providing their image and documentation in exchange for payment.”

To uncover such fraudulent activity, a mere government ID to selfie comparison is not enough, since both are from a real person. You need more sophisticated checks such as liveness detection, which iProov offers. You can find iProov’s ISO 30107-3 Presentation Attack Detection Level 2 confirmation letters on iBeta’s page.

But why?

Why would anyone sell their identity, either legitimately (to the World ex Worldcoin folks) or illegitimately (to this dark web outfit)?

Sadly, desperation. If you have a basic need to eat, who cares who is using your ID and what they’re doing with it?

Submission (of proposals)

(All images Imagen 3)

From the early 1990s to 2019, the majority of my identity/biometric proposal work was with U.S. state and local agencies, with some work with foreign agencies (such as Canada’s RCMP), private entities, and a few proposals to U.S. federal agencies.

I had no idea what was going to happen in 2020, and one of the surprises is that the majority of my identity/biometric proposal work since 2020 has been with U.S. federal agencies. Many requests for information (RFIs) as well as other responses.

The L&M does stop at Bredemarket, apparently. 

The L & N, not M, but close enough for government work.

I’ve worked on client proposals (and Bredemarket’s own responses) to the Departments of Defense, Homeland Security, Justice, and perhaps some others along the way.

And no, there’s no uniformity

Same department, different requirements.

Coincidentally, the two most recent identity/biometric proposals I managed for Bredemarket clients went to the same government department. But that’s where the similarities ended.

The first required an e-mail submission of a PDF (10 pages maximum) to two email addresses. A relative piece of cake.

Mmm…cake. Always reward your proposal people.

The last required an online submission. No, not a simple upload of a PDF to a government website. While my client did have to upload 2 PDFs, the majority of the submission required my client to complete a bunch of online screens.

And there were two separate sets of instructions regarding how to complete these online screens…which contradicted each other. So I had to ask a clarification question…and you know how THAT can go.

Oh, and as the consulting proposal expert, I could not complete the online screens on behalf of the client. The client’s company had a single login, which was assigned to a single person (a company executive) and could NOT be used by anybody else. 

So on the day of proposal submission the executive and I videoconferenced, and I watched as the executive answered the responses, in part using a document in which I had drafted responses.

And of course things were not perfect. The executive pasted one of my responses into the space provided, and only THEN did we discover that the response had an unadvertised character limit. So I rewrote it…at the same time that I resized a required image with unadvertised dimension restrictions.

But there’s some uniformity

Perhaps if I had written more federal proposals at Printrak, Motorola, MorphoTrak, IDEMIA, and Incode, I would have known these things. Perhaps not; as late as 2014 I was still printing proposals on paper and submitting 10 or more volumes of binders (yes, binders) along with CDs that had to be virus-checked.

Some Requests for Proposal (RFPs) provide helpful checklists.

But regardless of whether you submit proposals online, via CD, or in paper volumes, some things remain constant.

  • Follow the instructions.
  • Answer the questions.
  • Emphasize the benefits.
  • And don’t misspell the name of the Contracting Officer.

If you need Bredemarket’s proposal services, or my content or analysis services, visit my “CPA” page to get started.

Where is ByteDance From?

Know Your Business!

Where is ByteDance From?

I am VERY familiar with questions regarding the nationality of a company. There are three questions:

  • Where is it incorporated?
  • Where is it headquartered?
  • Who owns it?

IDEMIA

For my former employer IDEMIA, the answers are France, France, and primarily a U.S. investor (Advent International).

(So depending upon your needs, you can argue that IDEMIA is a French company or a U.S. company.)

ByteDance

For ByteDance, the answers are the Cayman Islands, China (Beijing), and primarily global investors (Blackrock, General Atlantic, Susquehanna International Group, etc.).

(So depending upon your needs, you can argue that ByteDance is a Chinese company, a mostly American company, or a British company off the coast of Cuba.)

Your company

Not that I create TikTok videos (at least not for paying clients), but I provide other services.

More information on Bredemarket’s Content-Proposal-Analysis marketing and writing services:

CPA
Bredemarket’s “CPA.”