Tag Archives: identity

Do You Know Your Identity/Biometric Competitors…And Yourself?

Do you need identity/biometric analysis from an informed analyst with 30 years of identity/biometric experience?

Do you need:

  • Competitor and competitor product analysis?
  • Industry analysis?
  • Use case analysis?
  • Analysis of your own company?

Book a free meeting with Bredemarket and discuss your needs. Click the image below to drive informed analysis with Bredemarket Identity Firm Services.

Drive informed analysis with Bredemarket Identity Firm Services

Do All 5 Identity Factors Apply to Non-Human Identities?

I’ve talked ad nauseam about the five factors of identity verification and authentication. In case you’ve forgotten, these factors are:

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

I’ll leave “somewhat you why” out of the discussion for now, but perhaps I’ll bring it back later.

These five (or six) factors are traditionally used to identify people.

Identifying “Non-Person Entities”

But what happens when the entity you want to identify is not a person? I’ll give two examples:

Kwebbelkop AI? https://www.youtube.com/watch?v=3l4KCbTyXQ4.
  • Kwebbelkop AI, discussed in “Human Cloning Via Artificial Intelligence: It’s Starting,” is not a human. But is there a way to identify the “real” Kwebbelkop AI from a “fake” one?
  • In “On Attribute-Based Access Control,” I noted that NIST defined a subject as “a human user or NPE (Non-Person Entity), such as a device that issues access requests to perform operations on objects.” Again, there’s a need to determine that the NPE has the right attributes, and is not a fake, deep or shallow.

There’s clearly a need to identify non-person entities. If I work for IBM and have a computer issued by IBM, the internal network needs to know that this is my computer, and not the computer of a North Korean hacker.

But I was curious. Can the five (or six) factors identify non-person entities?

Let’s consider factor applicability, going from the easiest to the hardest.

The easy factors

  • Somewhere you are. Not only is this extremely applicable to non-person entities, but in truth this factor doesn’t identify persons, but non-person entities. Think about it: a standard geolocation application doesn’t identify where YOU are. It identities where YOUR SMARTPHONE is. Unless you have a chip implant, there is nothing on your body that can identify your location. So obviously “somewhere you are” applies to NPEs.
  • Something you have. Another no brainer. If a person has “something,” that something is by definition an NPE. So “something you have” applies to NPEs.
  • Something you do. NPEs can do things. My favorite example is Kraftwerk’s pocket calculator. You will recall that “by pressing down this special key it plays a little melody.” I actually had a Casio pocket calculator that did exactly that, playing a tune that is associated with Casio. Later, Brian Eno composed a startup sound for Windows 95. So “something you do” applies to NPEs. (Although I’m forced to admit that an illegal clone computer and operating system could reproduce the Eno sound.)
Something you do, 1980s version. Advance to 1:49 to hear the little melody. https://www.youtube.com/watch?v=6ozWOe9WEU8.
Something you do, 1990s version. https://www.youtube.com/watch?v=miZHa7ZC6Z0.

Those three were easy. Now it gets harder.

The hard factors

Something you know. This one is a conceptual challenge. What does an NPE “know”? For artificial intelligence creations such as Kwebbelkop AI, you can look at the training data used to create it and maintain it. For a German musician’s (or an Oregon college student’s) pocket calculator, you can look at the code used in the device, from the little melody itself to the action to take when the user enters a 1, a plus sign, and another 1. But is this knowledge? I lean toward saying yes—I can teach a bot my mother’s maiden name just as easily as I can teach myself my maiden name. But perhaps some would disagree.

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

That’s all five factors, right?

Well, let’s look at the sixth one.

Somewhat you why

You know that I like the “why” question, and some time ago I tried to apply it to identity.

  • Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
  • Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
  • Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

The first example is fundamental from an identity standpoint. It’s taken from real life, because I had never used any credit card in Atlantic City before. However, there was data that indicated that someone with my name (but not my REAL ID; they didn’t exist yet) flew to Atlantic City, so a reasonable person (or identity verification system) could conclude that I might want to eat while I was there.

But can you measure intent for an NPE?

  • Does Kwebbelkop AI have a reason to perform a particular activity?
  • Does my pocket calculator have a reason to tell me that 1 plus 1 equals 3?
  • Does my ceramic plate have a reason to stay intact when I drop it ten meters?

I’m not sure.

By Bundesarchiv, Bild 102-13018 / CC-BY-SA 3.0, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=5480820.

Offboarding: What Happens When You Stop Doing Business with Bredemarket?

Consulting firms (and other firms) make a big deal about the amazing processes we use when we onboard clients. (In Bredemarket’s case, I ask questions.)

But often we don’t talk about what we do when we OFFBOARD clients. And that’s equally important.

So let’s go inside the wildebeest habitat and see how Bredemarket handles client offboarding.

“Hey guys, a client jumped ship.” By Danijel Mihajlovic – https://thenextcrossing.com/wildebeest-migration-kenya, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=96024366.

This is the end, beautiful friend

Yes, offboarding happens.

In 2023 I signed a contract with a client in which I would bill them at an hourly rate. This was a short-term contract, but it was subsequently renewed.

Recently the client chose not to renew the contract for another extended period.

woodleywonderworks, CC BY 2.0, https://www.flickr.com/photos/wwworks/2248069430.

On the surface, that would appear to be the end of it. I had completed all projects assigned to me, and I had been paid for all projects assigned to me.

So what could go wrong?

(Don’t) Tell all the people

Plenty could go wrong.

During the course of my engagement with the client, I had enjoyed access to:

  • Confidential information FROM the client.
  • Confidential information that I sent TO the client, as part of the work for hire arrangement.
  • Access to client systems. (In this particular instance I only had access to a single system with non-confidential information, but other clients have granted me access to storage systems and even software.)

And all of this data was sitting in MY systems, including three storage systems, one CRM system, and one email system.

By Unnamed photographer for Office of War Information. – U.S. Office of War Information photo, via Library of Congress website [1], converted from TIFF to .jpg and border cropped before upload to Wikimedia Commons., Public Domain, https://commons.wikimedia.org/w/index.php?curid=8989847.

Now of course I had signed a non-disclosure agreement with the client, so I legally could not use any of that data even if I wanted to do so.

But the data was still sitting there, and I had to do something about it.

Take It As It Comes

But I already knew what I had to do, because I had done this before.

Long-time readers of the Bredemarket blog will recall an announcement that I made on April 22, 2022, in which I stated that I would no longer “accept client work for solutions that identify individuals using (a) friction ridges (including fingerprints and palm prints) and/or (b) faces.” (I also stopped accepting work for solutions involving driver’s licenses and passports.)

I didn’t say WHY I was refusing this work; I saved that tidbit for a mailing to my mailing list.

So, why I am making these changes at Bredemarket?

I have accepted a full-time position as a Senior Product Marketing Manager with an identity company. (I’ll post the details later on my personal LinkedIn account…)…

If you are a current Bredemarket customer with a friction ridge/face identification solution, then I already sent a communication to you with details on wrapping up our business. Thank you for your support over the last 21 months. I’ll probably see you at the conferences that my employer-to-be attends. 

That communication to then-current Bredemarket customers detailed, among other things, how I was going to deal with the confidential information I held from them.

So I dusted off the pertinent parts of that communication and repurposed it to send to my 2023-2024 client. I’ve reproduced non-redacted portions of that communication below. Although I don’t explicitly name my information storage systems in this public post, as I noted above these include three storage systems, one CRM system, and one email system.

Bredemarket will follow the following procedures to protect your confidential information.

  1. Bredemarket will delete confidential information provided to Bredemarket by your company by (REDACTED). This includes information presently stored on (REDACTED).
  2. Bredemarket will delete draft and final documents created by Bredemarket that include company confidential information by (REDACTED). This includes information presently stored on (REDACTED).
  3. If your company has provided Bredemarket with access to your company OneDrive, Outlook, or Sites, Bredemarket will delete the ability to access these company properties by (REDACTED). This includes deletion from my laptop computer, my mobile phone, and my web browser. Bredemarket further recommends that you revoke Bredemarket’s access to these systems.
  4. If your company has provided Bredemarket with access to all or part of your company Google Drive, Bredemarket recommends that you revoke Bredemarket’s access to this system.

I will inform you when this process is complete.

So I executed the offboarding process for my former client, ensuring that the client’s confidential information remains protected.

Love Me Two Times

Of course, I hope the client comes back to Bredemarket someday, in some capacity.

But perhaps you can take advantage of the opportunity. Since your competitor no longer contracts with Bredemarket, perhaps YOU can.

To learn WHY you should work with Bredemarket, click the image below and read about my CPA (Content-Proposal-Analysis) expertise.

Bredemarket’s “CPA.”

Postscript

No, I’m not going to post videos of the relevant Doors songs on here. Jim’s Oedpidal complex isn’t business-friendly.

Educating the Fake Abbott Salesperson

A salesperson from Abbott just contacted me via LinkedIn InMail.

Well, she CLAIMED to be from Abbott. I’m not sure.

Anyway, she said she wanted to “get to know each other” because we are “in the same industry.”

Rather than dismissing the InMail out of hand as a #fraud #scam attempt with a #fakefakefake identity, I embraced the opportunity of a teachable moment and shared Bredemarket’s 2021 post on the difference between biometrics and biometrics. Excerpt:

In my circles, people generally understand ‘biometrics’ to refer to one of several ways to identify an individual.

But for the folks at Merriam-Webster, this is only a secondary definition of the word “biometrics.” From their perspective, biometrics is primarily biometry, which can refer to “the statistical analysis of biological observations and phenomena” or to “measurement (as by ultrasound or MRI) of living tissue or bodily structures.” In other words, someone’s health, not someone’s identity.

Fun fact: if you go to the International Biometric Society and ask it for its opinion on the most recent FRVT 1:N tests, it won’t have an answer for you.

Yeah, “FRVT.” Told you I wrote it in 2021, before the great renaming.

So Abbott salespeople, real or imagined, won’t be interested in what I’ve been doing for the last 30 years. ‘Cause you know sometimes words have two meanings.

But those of you who use biometrics (and other factors) for individualization WILL be interested. Click on the image to find out more.

Drive content results with Bredemarket Identity Firm Services.
Drive content results with Bredemarket Identity Firm Services.

Training the Bot (who was smarter than I thought)

Perhaps I was a little agitated or excited this afternoon.

  • Perhaps I was a little agitated because five (or maybe more; I lost count) scammers had sent me LinkedIn DMs when they gravitated to my #opentowork LinkedIn banner…like flies speeding to a carcass. (Which gave me an excuse to write about identity management on LinkedIn.)
  • Or perhaps I was a little excited because a Never Search Alone participant had shared an identity management product marketing position with me.

The bot says hello

After applying for said job, I was reading the company’s website to learn about its identity management product when the company’s bot kept on messaging me.

At 2:30 pm Chat Bot says: Hello, this is an AI Rep from [COMPANY]. If you need any assistance, feel free to ask.

At 2:30 pm Chat Bot says: Saw that you’re interested in our SaaS management and identity governance software. Any questions?

Being the curious type (after all, I worked for IDEMIA), I wondered how the chat bot would deal with what I REALLY wanted to ask about.

  • Not about a demo.
  • Not about the company’s recent funding round. (Series B, $35 million.)
  • Not about how they want to save the badgers or whatever.
  • But about my just-completed job application.

At 2:47 pm I say: With 30 years’ identity experience and 9 years as a PMM, I just applied for your Sr PMM Identity Management role. So the only question that I have is when you will interview me.

Yes, 30 years. Not “over 29” years. See my prior post.

And yes, my assumption that the company would immediately drop everything and interview me may have been a little overconfident. But it’s better than imposter syndrome.

And after all, this was just a bot. I assumed that the bot would be completely confused by my question, so no harm would come from overconfidence.

You know what they say about people who assume?

The bot exceeds expectations

At 2:47 pm Chat Bot says: Thanks for applying for the Sr PMM Identity Management role! Could you provide your email address so we can follow up on your application status?

One note here: the bot parroted my response back to me. The company’s job description does not include a job title with the “PMM” acronym.

Regardless, I was pleasantly surprised. The bot was trained to respond to job applicants. So I provided the email address that I used for my job application.

The bot does not meet expectations

That’s when I was UNPLEASANTLY surprised.

At 2:47 pm Chat Bot says: Thank you for your interest. Please provide a business email address so we can follow up on your application status.

Apparently the training wasn’t thorough enough. Think about it; if you’re an individual applying for a job, why would you apply with a “business email address”? Which one? From your current employer? THAT is not a good idea.

But as it turns out, I DO have a business email address-the one for Bredemarket. So I entered that, even though that email address does not appear anywhere on the job application that I had just submitted.

At 2:47 pm Chat Bot says: Thank you for providing your email. Our team will review the conversation and follow up if necessary. How else can I assist you today?

So it will be interesting to see whether the company contacts me at both of my email addresses.

(Post image generated at craiyon.com)

Postscript for those who don’t click on every link in a Bredemarket post

You missed Brian May’s collaboration with the Weebl folks.

From https://www.youtube.com/watch?v=EllYgcWmcAY.

This resonated with me because in mid-September I spent some Instagram time thinking about the word “flash” (as in how fast a human can create content).

Identity Orchestration, Integration, and Vendor Count

If you come from the musical world rather than the technology world, then “orchestration” suggests a collection of instruments, such as the Bucharest Symphony Orchestra (CC BY-SA 4.0 for those keeping score).

But in the technology world, “orchestration” knits different applications together. As far as I’m concerned, the most notable example is identity orchestration, the topic of a recent Biometric Update post by Chris Burt.

Different apps, different identity systems

I won’t go into Chris Burt’s identity orchestration examples from Ping Identity and Strata Identity, but I’d like to delve into a Productiv survey cited by IBM.

“According to one report, the average business department uses 87 different SaaS apps. These apps often have their own identity systems, which might not readily integrate with one another. As a result, many organizations deal with fragmented identity landscapes and awkward user experiences.”

It’s tough enough to get a bunch of different apps to work together. It’s even tougher when each of those apps has its own identity system, which may be incompatible with the identity systems from the other apps.

You can’t get all your SaaS apps from one vendor

How do some SaaS vendors approach the problem?

By telling you to buy a single multi-functional solution from them.

The only problem is that for medium and large organizations, no single vendor can provide ALL the functionality the organization needs.

So you STILL have to stitch things together.

Because identity orchestration, unlike musical orchestration, is not under the direct control of a single conductor.

Mickey Mouse and Leopold Stokowski. From https://www.youtube.com/watch?v=wxNZg1WyeVI.

Who Is IN With IDEMIA?

Unlike the other rumors over the last few years, this is official. 

From IDEMIA:

“IN Groupe and IDEMIA Group have entered into exclusive negotiations regarding the acquisition of IDEMIA Smart Identity, one of the three divisions of IDEMIA Group.”

But discussions are one thing, and government approvals are another. By the way, IN Groupe’s sole shareholder is the French state…

Plus IDEMIA, like Motorola before it, will have to figure out how the, um, bifurcated components will work with each other. After all, IDEMIA Smart Identity is intertwined with the other parts of IDEMIA. 

Again, from IDEMIA:

“IDEMIA Smart Identity, a division of IDEMIA Group, is a leader in physical and digital identity solutions. We have fostered longstanding relationships with governments across the globe, based on the shared understanding that a secured legal identity enables citizens to access their fundamental rights in the physical and digital worlds.”

Regardless, this process will take some time.

And what will Advent International eventually do with the other parts of IDEMIA? That will take even more time to figure out.

Go-to-Market Partners

The next paragraph is inaccurate.

Go-to-market initiatives have ONLY two audiences: the external prospects who are the hungry people (hopefully) wanting the product, and the internal staff in the company who deliver the product.

You know who I forgot? The partners. 

Such as the very important partner for MorphoTrak’s Morpho Cloud back in 2015:

“Morpho worked with Microsoft Corporation to develop a cloud service for Morpho’s flagship Biometric Identification Solution (MorphoBIS). Morpho Cloud is hosted on Microsoft Azure Government, the cloud platform with a contractual commitment to support several U.S. government standards for data security, including the FBI’s CJIS Security Policy. Backed by the Microsoft Azure Government platform, Morpho Cloud complies with the stringent security standards for storage, transmission, monitoring, and recovery of digital information.”