identity – Page 16 – Bredemarket

When Names Infringe (Biometric Products Coming to America)

Then there was the time I was performing U.S. go-to-market activities for a global identity/biometric offering.

The product marketing launch went great…

…until the home office received a communication from a competitor.

A competitor with a previously existing product with a name VERY similar to that of our subsequently launched solution.

Oops.

We definitely made a mistake by not thoroughly checking the name.

Of course, with the way that some companies want to imitate the things their competitors do, I’m sure some firms perform this intentionally, rather than accidentally.

(McDowell’s 2017 West Hollywood pop-up image from Buzzfeed, https://www.buzzfeed.com/morganshanahan/we-went-to-a-real-life-mcdowells-from-coming-to-america-and)

In Case You Missed My Incessant “Biometric Product Marketing Expert” Promotion

Biometric product marketing expert.

Modalities: Finger, face, iris, voice, DNA.

Plus other factors: IDs, data.

John E. Bredehoft has worked for Incode, IDEMIA, MorphoTrak, Motorola, Printrak, and a host of Bredemarket clients.

(Some images AI-generated by Google Gemini.)

Biometric product marketing expert.

Always Remember…and Differentiate

I’ve railed against copying the competition with “me too” messaging…and this morning I ate my own wildebeest food and did something about it.

While Bredemarket usually doesn’t mark significant dates, I observed 9/11 on my social channels. While 9/11 is relevant worldwide, it is especially relevant to Bredemarket’s identity/biometrics customers because of its revolutionary impact on our industry.

But I didn’t use the tried-and-true messaging with an image of the former World Trade Center and the words “never forget.” After 23 years, we’ve seen that message thousands of times. It blends into the landscape, like a mention of the band the Dead Kennedys that no longer raises an eyebrow.

So instead I differentiated Bredemarket’s message and said “always remember” with an image of the destruction to the Pentagon. Perhaps that will wake people up to what happened that day.

Apologies to Shanksville. We will always remember you also.

Know Your Recruiter

KYR = Know Your Recruiter.

My two most popular LinkedIn posts over the last two weeks discussed scammy SMS texts I received from people who claimed to work for Randstad and Indeed but clearly did NOT.

THIS post clearly won’t garner tens of thousands of impressions, but it’s much more important: how do you differentiate a real recruiter from a fake one?

The easiest test—which all the fake recruiters fail—is to ask the recruiter to provide their corporate email address. But even that can backfire when the fake provides an email from an ALMOST good domain such as endeede.com and hopes the mark doesn’t notice the difference.

There are other tests, but my “biometric product marketing expert” preferred tests such as comparing a live PAD#-tested selfie against a driver’s license don’t prove anything. Sure, such methods can prove that Anna Morgan is Anna Morgan, but they don’t prove her profession per se (fractional talent acquisition leader / recruiter / career coach).

So for now the best KYR tactic is to ask for a corporate email address. Definitely don’t take the recruiting conversation to Telegram.

# PAD = presentation attack detection. A presentation attack is when you substitute a fake face (or another fake, such as a fake driver’s license) for a real one.

AI image by Microsoft Copilot because Google Gemini still won’t draw people.

KYI Stands For Know Your InMailer

KYC stands for Know Your Customer.

So I guess KYI stands for Know Your InMailer.

My broad and rich skillset

This afternoon I received an email and a LinkedIn InMail from “Alice Ives,” purportedly with Maharah according to her profile. She wanted to tell me about an opportunity.

“Your broad and rich skillset will be of great benefit to our company’s development. The employer is seeking a remote consultant. We look forward to discussing further cooperation opportunities with you. Hope to hear from you soon.”

The InMail after “Alice’s” profile disappeared.

But when I asked for her Maharah email address she didn’t respond, and her profile became invisible to me. I don’t know if “Alice” deleted her profile, if she blocked me, or if LinkedIn removed her.

Know Your Customer in the real world

Of course in the real world outside of social media, Know Your Customer procedures can be rigorous, encompassing government-issued identity documents, biometrics and liveness detection, information from public and private databases worldwide, and even geolocation.

But from what I recall before Alice’s profile disappeared, her claimed geolocation was “United States.” Just one possible indicator of fakery.

Did you spot the others?

On Attribute-Based Access Control

In this post I’m going to delve more into attribute-based access control (ABAC), comparing it to role-based access control (RBAC, or what Printrak BIS used), and directing you to a separate source that examines ABAC’s implementation.

(Delve. Yes, I said it. I told you I was temperamental. I may say more about the “d” word in a subsequent post.)

But first I’m going to back up a bit.

Role-based access control

As I noted in a LinkedIn post yesterday:

Back when I managed the Omnitrak and Printrak BIS products (now part of IDEMIA‘s MBIS), the cool kids used role-based access control.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=6907222.

My product management responsibilities included the data and application tours, so user permissions fell upon me. Printrak BIS included hundreds of specific permissions that governed its use by latent, tenprint, IT, and other staff. But when a government law enforcement agency onboarded a new employee, it would take forever to assign the hundreds of necessary permissions to the new hire.

By Love Makes A Way – https://www.flickr.com/photos/lovemakesaway/15802177909/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=101171928.

Enter roles, as a part of role-based access control (RBAC).

If we know, for example, that the person is a latent trainee, we can assign the necessary permissions to a “latent trainee” role.

The latent trainee would have permission to view records and perform primary latent verification.
The latent trainee would NOT have permission to delete records or perform secondary latent verification.

As the trainee advanced, their role could change from “latent trainee” to “latent examiner” and perhaps to “latent supervisor” some day. One simple change, and all the proper permissions are assigned.

But what of the tenprint examiner who expresses a desire to do latent work? That person can have two roles: “tenprint examiner” and “latent trainee.”

Role-based access control certainly eased the management process for Printrak BIS’ government customers.

But something new was brewing…

Attribute-based access control

As I noted in my LinkedIn post, the National Institute of Standards and Technology released guidance in 2014 (since revised). The document is NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, and is available at https://doi.org/10.6028/NIST.SP.800-162.

Figure 2 from https://doi.org/10.6028/NIST.SP.800-162.

Compared to role-based access control, attribute-based access control is a teeny bit more granular.

Attributes are characteristics of the subject, object, or environment conditions. Attributes contain information given by a name-value pair.

A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes. For the purpose of this document, assume that subject and user are synonymous.

An object is a system resource for which access is managed by the ABAC system, such as devices, files, records, tables, processes, programs, networks, or domains containing or receiving information. It can be the resource or requested entity, as well as anything upon which an operation may be performed by a subject including data, applications, services, devices, and networks.

An operation is the execution of a function at the request of a subject upon an object. Operations include read, write, edit, delete, copy, execute, and modify.

Policy is the representation of rules or relationships that makes it possible to determine if a requested access should be allowed, given the values of the attributes of the subject, object, and possibly environment conditions.

So before you can even start to use ABAC, you need to define your subjects and objects and everything else.

Frontegg provides some excellent examples of how ABAC is used in practical terms. Here’s a government example:

For example, a military officer may access classified documents only if they possess the necessary clearance, are currently assigned to a relevant project, and are accessing the information from a secure location.

Madame Minna Craucher (*right*), a Finnish socialite and spy, with her chauffeur Boris Wolkowski (*left*) in 1930s. By Anonymous – Iso-Markku & Kähkönen: Valoa ja varjoa: 90 kuvaa Suomesta, s. 32. (Helsinki 2007.), Public Domain, https://commons.wikimedia.org/w/index.php?curid=47587700.

While (in my completely biased opinion) Printrak BIS was the greatest automated fingerprint identification system of its era, it couldn’t do anything like THAT. A Printrak BIS user could have a “clearance” role, but Printrak BIS had no way of knowing whether a person is assigned to an appropriate project or case, and Printrak BIS’ location capabilities were rudimentary at best. (If I recall correctly, we had some capability to restrict operations to particular computer terminals.)

As you can see, ABAC goes far beyond whether a PERSON is allowed to do things. It recognizes that people may be allowed to do things, but only under certain circumstances.

Implementing attribute-based access control

As I noted, it takes a lot of front-end work to define an ABAC implementation. I’m not going to delve into that complexity, but Gabriel L. Manor did, touching upon topics such as:

Policy as Code
Unstructured vs. Structured Rules
Policy configuration using the Open Policy Administration Layer (OPAL)

You can read Manor’s thoughts here (“How to Implement Attribute-Based Access Control (ABAC) Authorization?“).

And there are probably ways to simplify some of this.

Were You Affected by the National Public Data Breach?

(Part of the biometric product marketing expert series)

Fiona Jackson of TechRepublic shared this two days ago.

In August, a hacker dumped 2.7 billion data records, including social security numbers, on a dark web forum, in one of the biggest breaches in history.

The data may have been stolen from background-checking service National Public Data at least four months ago. Each record has a person’s name, mailing address, and SSN, but some also contain other sensitive information, such as names of relatives…

Note that 2.7 billion data records does not equal 2.7 billion people, since a person may have multiple data records.

Was your data leaked?

Rich DeMuro posted a link to see if your data was leaked. If you want to check, go to https://npd.pentester.com/, enter the requested information (you will NOT be asked for your Social Security Number), and the site will display a masked list of the matching information in the breach.

One lesson from the National Public Data breach should have been obvious long ago: anyone who relies on a Social Security Number as a form of positive identification is a fool.

Identity/Biometric Professionals, Does Your Company Need the Right Words?

Identity/biometric professionals require the right words to raise product awareness, influence consideration, or drive conversions.

Bredemarket helps you create the words your prospects and customers must hear now:

Short-length text such as blog posts.
Medium-length text such as white papers.
Longer text such as analyses and proposals.
Retainer arrangements.

With over 29 years of identity/biometric experience, John Bredehoft of Bredemarket is the biometric product marketing expert that can move your company forward.

If I can help you, book a free 30 minute meeting with me on Calendly.

If you’re not sure about using Bredemarket, here is more information.

Identity professionals…

Are My 15 Second Videos Too Long?

You’ve probably noticed that I’ve created a lot of Bredemarket videos lately.

My longer ones last a minute. That’s the length of a video I haven’t shared in the Bredemarket blog (it’s on Instagram) summarizing my client work over the last four years. My early July identity and Inland Empire reels are almost a minute long.
But I also make much shorter ones that last about 15 seconds, such as a brief identity video (it’s on Instagram also). My repurposed identity and Inland Empire reels are also that length.

But…

Even Bredemarket’s “short” 15 second videos may be TWICE AS LONG as they should be.

The Microsoft 8 second study

In 2015, Time magazine reported on the results of a Microsoft study:

Researchers in Canada surveyed 2,000 participants and studied the brain activity of 112 others using electroencephalograms (EEGs). Microsoft found that since the year 2000 (or about when the mobile revolution began) the average attention span dropped from 12 seconds to eight seconds.

As many noted, a goldfish’s attention span is 9 seconds.

Celestial eye goldfish image public domain.

Some argue that the 8 second attention span is not universal and varies according to the task. For example, a 21 minute attention span has been recorded for drivers. If drivers had an 8 second attention span, we would probably all be dead by now.

But watching a video is not a life-or-death situation. Viewers will happily jump away if there’s no reason to watch.

So I have my challenge.

Ironically, I learned about the 8 second rule while watching a LinkedIn Learning course about the 3 minute rule. I haven’t finished the course yet, so I haven’t yet learned how to string someone along for 22.5 8-second segments.