The Two-Way Door Decision

In business there’s something called a “Type 2 decision.” Because of my biometric background I shy away from the term (which means “false positive” in biometrics) and prefer to use the term “two-way door decision.”

If you’ve been through an airport security checkpoint, either entering or leaving a security area, you know that you can only go one way.

Google Gemini.

Amazon and the two-way door decision

But other entrances and exits DO allow you to change your mind.

“The [two-way door decision] concept was introduced by Jeff Bezos in his Amazon shareholder letters, using the metaphor of walking through a door. With a two-way door decision, you can walk through the door, see what’s on the other side, and if you don’t like it, you can easily turn around and come back through. If you make a suboptimal two-way door decision, you don’t have to live with the consequences for long—you can reopen the door and go back through.”

Amazon Fresh is not a good example.

Google Gemini.

While in the end the original decision was reversible, the reversal was not without pain. The rise and fall of Amazon Fresh took years. (Technically less than a year in Upland, if you don’t count the years of planning, but still a long time.)

But what about trying a new product marketing idea? While some ideas, such as pricing a luxury car at one dollar, can cause permanent damage, others can easily be reversed.

I’ll use Bredemarket as an example. Back in 2020 I was heavily pushing my Bredemarket 404 Web/Social Media Checkup. While it remains on my website, I haven’t promoted it in years. I could certainly still do it (and did it for one client), but while it parallels my analysis strengths, I find other areas (such as market and competitive analysis in the biometric industry) much more satisfying and financially rewarding.

Google Gemini.

On the other hand, I DID pull my editing services from the Bredemarket website. That’s not rewarding at all.

Enough about me…what about you?

But what if YOU want to try a new product marketing idea and see if it resonates with your prospects?

Google Gemini.

Now you could go through an entire tiered go-to-market launch,

Or alternatively, you could send up a trial balloon such as a blog post, a social media post, or a data sheet.

Google Gemini.

Then measure the results.

  • If the content resonates with your prospects, double down.
  • If your prospects are indifferent, never mention the idea again.
  • If your prospects hate it, delete it.

Because of my “I ask, then I act” bias, I gravitate toward these trial balloons. As long as the idea doesn’t kill your company, why not try it quickly, rather than paralyzing yourself by repeated inaction?

Your trial balloon

Google Gemini.

Are you ready to launch a trial balloon, but need some help with the helium? Set up a meeting with Bredemarket and we can discuss your options.

The Continuing Adventures of Will and Chad

Technically Chad Smith engaged in identity fraud on Saturday Night Live when he started giving Will Ferrell’s monologue.

But no harm was done.

And while the face modality fooled many of us, the voice modality gave Chad away. Score one for multimodal authentication.

Some 2.45 Things You Do

A study entitled “Browsing behavior exposes identities on the web” (also cited by Biometric Update) offers an informative view of how “something you do” can identify you when combined with other things you do.

“Though most users are unique in their four most-visited domains, we find that we often need fewer data points for user identification. To determine how many domains are needed to pinpoint a user, we examine fingerprints at the individual level. For each unique user i, we randomly select a domain from their fingerprint and group all unique users who have that domain in their fingerprints (see Methods). Then, we select another most-visited domain from user i and narrow our group to those with both domains (Fig. 1c). We repeat this step, incrementally adding domains, until we isolate user i. At this point, we have a set of domains which exists only within user i’s fingerprint. Our analysis shows that we need an average of 2.45 steps to identify a unique user within the data set (Fig. 1d). This finding indicates that although four domains guarantee uniqueness, users’ distinct online habits facilitate their identification with fewer domains.”

Think about the four domains that YOU visit the most. If you don’t know what they are, Chrome users can visit chrome://site-engagement/ and order the list. I can almost guarantee that one of my four most-visited websites is NOT one of yours.

And as for my wildebeest friend…

Google Gemini.

Does Your Identity/Biometric Product Provide Certainty?

In case you didn’t know this, the word “trust” makes me yawn. Everybody uses it. Everybody sounds the same.

So let’s talk about certainty.

It’s not an exact synonym, but I think it’s better. It’s one thing to trust someone, but another to be certain of an outcome.

Google Gemini.

Does your identity/biometric product assure your company’s prospects that the product accurately identifies people…and doesn’t misidentify them?

(Certainty is essential because trusting a concert promoter is pointless if the promoter delivers Dread Zeppelin when you expected Led Zeppelin.)

Dread Zeppelin, “Immigrant Song.”

Do your product marketing materials explain:

  • Why your product works?
  • How it works?
  • The benefits your customers receive?

Your prospects have a lot of questions. So do I.

The Seven Questions I Ask.

Bredemarket’s questions help my clients and I deliver expert content, proposals, and analysis that convey certainty to prospects and customers.

To learn more and schedule a free meeting, click here or below.

On Ethics in Identity and Healthcare

I almost asked Google Gemini to perform a completely warped action.

I almost asked Gemini to write a post, in the style of Bredebot, explaining how ethics is detrimental to business.

But I didn’t write such a standalone post. Instead I asked Gemini to write a single paragraph.

While ethics is fundamentally viewed as a cornerstone of long-term brand equity, from a purely short-term, transactional perspective, it can be framed as a significant operational burden. In a hyper-competitive market, adhering to rigorous ethical standards often acts as a self-imposed “tax” that competitors may simply bypass. Strict compliance with environmental regulations, fair wage practices, and transparent sourcing can inflate overhead costs, leading to higher price points that may alienate price-sensitive consumers. Furthermore, ethical considerations can paralyze speed-to-market; while a competitor might prioritize rapid scaling through “growth hacking” or aggressive data harvesting, an ethically-bound company may lose its first-mover advantage by pausing for privacy audits or impact assessments. In this light, ethics is seen as a friction point that restricts a firm’s agility, limits immediate profit margins, and creates a strategic disadvantage against “bad actors” who prioritize raw efficiency over moral sentiment.

But even when receiving this instruction, Gemini emphasized that the advantage is “short-term” and “transactional.”

I assert that it’s especially transactional for companies that deal with private data-personally identifiable information (PII), protected health information (PHI), or its variants. Because if a company with your private data behaves unethically, you will be rightfully outraged.

Which is why companies such as Paravision and Reality Defender emphasize ethics.

Paravision in 2023:

“Whether it’s in facial recognition technology, hiring processes, or healthcare diagnostics, the consequences of biased AI can be far-reaching. Paravision heavily invests into broad and diverse training datasets to fight bias, and we must remain vigilant and ensure that AI systems are developed with fairness and equity in mind, and commit to improving the performance of AI algorithms across all demographics.”

Reality Defender in 2026:

“The committee’s job isn’t to bless what we ship, but to push back on it. This pushback includes (but is not limited to) operational questions, how we communicate uncertainty in a verdict, how we handle false positives at scale, and who has access to flagged content (and for how long).

“It also includes harder questions. What duty do we owe a worker authenticated through RealMeeting who didn’t choose to be authenticated? What happens when a regulator asks for our verdicts as evidence in a proceeding? How do we draw the line when a customer wants to use detection in a way we don’t think is appropriate?”

How does your identity or health vendor handle ethical issues? Or is a short-term and transactional benefit good enough?

Is Your Identity/Biometric Firm Too Busy Putting Out Fires to Install a Sprinkler System?

It’s the classic case of paralysis by overwhelmedness. (Not officially a word, but bear with me here.)

Your identity/biometric firm needs experienced product marketing contract help because you are drowning in work. But because you’re drowning in work you can’t take the time to set up that contract.

Bredemarket can help you contract with Bredemarket.

Now there are certain things that Bredemarket can’t do. Well, Bredemarket could do them, but you (understandably) won’t let me.

  • I can’t create my own contract with you. Actually I can, and I have with some clients, but your company probably requires that I use your contract, which I don’t have.
  • I can’t enroll myself as a vendor in your purchasing system. Trust me, that would be dangerous. Hmm…net 5 terms at $1,000 per hour?
  • I can’t onboard myself into your other internal systems. If I could, that would be a major security flaw.

But there are things that I can do to make your life easier when you onboard Bredemarket as a contractor/vendor…especially if you are an identity/biometric firm.

  • You don’t have to explain to me what a bifurcation or ridge ending are. I’ve been working with fingerprints since 1994 and know these things.
  • You don’t have to teach me how to spell NIST. While the 1985 interchange standard was before my time, I’m familiar with every ANSI/NIST standard since 1993 to the present day.
  • You don’t have to explain to me what a “factor” and a “modality” are. Heck, I wrote the book on factors and modalities.
  • You don’t have to create a briefing book. Just let me ask the questions and we’ll figure out the scope together.

So I can meet your partway. Then we’ll realize our mutual goal of making your products prominent and making the competitive products look weak.

So let’s talk and move the process forward.

Oh, and the title of this post was suggested by Google Gemini. AI is only a tool, but sometimes it’s a very effective tool. Sometimes.

In-person mDL Acceptance is Weak. Online Acceptance is Weaker.

Perhaps it’s different in Louisiana where the mDL is long established and supported, but in California the only place where I’ve used my mDL is at a TSA checkpoint. And last Friday I couldn’t even do that because the reader was down.

But at least mDLs are available to a large number of people. deepidv provides this good news…and the bad news.

“As of mid-January 2026, the American Association of Motor Vehicle Administrators tracks 21 US states plus Puerto Rico issuing ISO/IEC 18013-5 compliant mobile driver’s licenses. That includes California, New York, Virginia, Arizona, and most of the largest population states. Industry analysis puts the figure at roughly 41 percent of Americans now living in a state with an active mDL program, and 76 percent in a state where the program is live or in development.”

So at least many of us can get mDLs. But as I noted, it’s a challenge to use them in-person, despite a standard outlining how it can be used.

“ISO/IEC 18013-5 covers proximity presentation. The mDL holder shows the credential to a verifier device that is physically nearby, typically over Bluetooth Low Energy or NFC. That works for airport security, in-person retail age checks, and traffic stops.”

Google Gemini.

But it’s a greater challenge to use mDLs online.

“It does not work for online onboarding because there is no proximity. For online flows, the standard is ISO/IEC TS 18013-7, published in 2025, which defines remote and online presentation. Adoption of Part 7 is, in the words of the people building these systems, “limited and inconsistent.””

Google Gemini.

This is where the benefit of decentralized identity falls apart. In a decentralized identity system, the user controls where the identity is stored. (I have two California mDLs on my phone, because decentralized is very decentralized.)

deepidv has concerns with this:

“Device-side verification means the cryptographic check that establishes whether the credential is authentic happens in an environment the relying party does not control. A rooted phone, a compromised app, a tampered SDK, a man-in-the-middle on the verification flow, all of these break the trust model. The relying party is being asked to trust a yes-no answer it cannot independently verify.”

deepidv describes server-side verification, as well as other issues with mDL adoption, in its LinkedIn article.

Though not referenced by name, deepidv cites Regula’s support of server-side processing:

“Malware, rooted phones, tampered apps: User devices such as smartphones can pose risks to identity verification, as these environments are difficult to control against fraud.

“Regula says it has a solution. The identity verification firm has introduced server-side reprocessing of mobile driver’s license (mDL) data in its document reader software, Regula Document Reader SDK. The capability means that mDL data is processed on the backend in a controlled, trusted environment rather than relying solely on user devices, which also helps preserve the integrity of the identity signal across the verification flow. Data captured on the user’s device is revalidated through a PKI check and signature verification on the server.”

But will the decentralized identity people insist that server-side verification is evil? And how will the decentralized proponents convince others that a decentralized identity is really really secure?

If your company has a decentralized or centralized solution and you need to communicate its benefits to prospects, Bredemarket can work with you.

Why Does California Support Two Separate Digital Wallets For Its Mobile Driver’s License?

This morning I was attending a NIST webinar on mobile driver’s license use at financial institutions, and began looking at the services I could access in April 2026 with my California mobile driver’s license—financial and otherwise.

Of course I already knew that I could use my California mDL at the Transportation Security Administration checkpoint at Ontario International Airport. In fact, the mDL in my Apple Wallet (obtained in 2024) recorded the fact that I used my mDL at the airport on August 31, 2025.

Google Gemini.

But today I learned that some services are NOT available with the mDL in my Apple Wallet, but ONLY while using the “CA DMV Wallet” app.

So I downloaded the app, which I last used in my initial unsuccessful attempt to obtain an mDL. (I finally used Apple’s facility to get one.) I assumed that since I already had my mDL in my Apple Wallet, it would automatically show up in the app.

You know what happens when you assume. My buddy Google Gemini pointed it out to me.

“It’s a common point of confusion, but the Apple Wallet and the CA DMV Wallet app are actually two separate “containers” for your digital ID. Because California uses a secure, decentralized system, your mDL doesn’t automatically sync between them. Even if it’s already in your Apple Wallet, you have to go through a separate enrollment process to “provision” it into the DMV’s official app.”

Which meant that I had to enroll again and get another decentralized mDL, which I did. (After some difficulty; it took four separate attempts to capture my facial image, which was only successful when I went into a very dark room.)

Now that my mDL is in this second wallet, I could go ahead an enroll in the TruAge program for age verification at a private retailer.

Google Gemini.

As I type this, TruAge hasn’t processed my application.

And now for a word from our sponsor

Mobile driver’s licenses are a digital form of “something you have,” which is a factor of identity verification and authentication.

Would you like to learn about all six of the identity verification and authentication factors? (Not three. Not five.)

Learn more about the six identity factors.

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

Jurisdictional Privacy and Consent

Where are you?

Who are you?

The answers to these questions affect if or how you obtain consent to use one’s personally identifiable information, or PII.

Privacy regulations can change when you cross country or even city lines, and they can also change depending on who you are: an individual, a business, or a government agency.

How?

  • On the other extreme, some entities in some jurisdictions must obtain express written consent. If I am a homeowner in Schaumburg, Illinois, and I use a doorbell camera to identify friends or foes approaching my door, the Biometric Information Privacy Act (BIPA) prohibits me from capturing their biometrics without their consent, and lets them sue me if I do it anyway.

Before you collect PII, check the laws in your jurisdiction first.

Oh, and check the laws in other jurisdictions in case they try to enforce their laws in your jurisdiction.

By the way: if you’re a software or hardware vendor, don’t assume that you bear no responsibility and that only your customer does.

You must educate your customers.

And Bredemarket can help you with my content-proposal-analysis services.

CPA
CPA.

(Told you I’d bring this landing page back.)