Tag Archives: identity

I really want to know (if this song is truly related to crime scene investigation)

I was performing some website maintenance this afternoon, and decided to add a page dedicated to Bredemarket’s services for identity firms. I was trying to think of an introductory illustration to go with the page, since the town crier can only go so far. So, claiming fair use, I decided that this image made perfect sense.

“Who Are You” by The Who. Fair use, https://en.wikipedia.org/w/index.php?curid=11316153

Now while use of the “Who Are You” album cover on a Bredemarket identity page makes perfect sense to me, it may not make sense to 6.9 billion other people. So I guess I should explain my line of thinking.

The link between human identification and the song “Who Are You” was established nearly two decades ago, when the television show “C.S.I. Crime Scene Investigation” started airing on CBS. TV shows have theme songs, and this TV show adopted a (G-rated) excerpt from the Who song “Who Are You” as its theme song. After all, the fictional Las Vegas cops were often tasked with identifying dead bodies or investigating crime scene evidence, so they would be expected to ask the question “who are you” a lot.

Which reminds me of two stories:

  • I actually knew a real Las Vegas crime scene investigator (Rick Workman), but by the time I knew him he was working for the neighboring city of Henderson.
  • CSI spawned a number of spinoffs, including “CSI:Miami.” When I was a Motorola product manager, CSI:Miami contacted us to help with a storyline involving a crime scene palm print. While Motorola software was featured in the episode, the GUI was jazzed up a bit so that it would look good on TV.

So this song (and other Who songs for the CSI spinoffs) is indelibly associated with police crime scene work.

But should it be?

After all, people think that “When a Man Loves a Woman” is a love song based upon its title. But the lyrics show that it’s not a love song at all.

When a man loves a woman
Down deep in his soul
She can bring him such misery
If she is playin’ him for a fool

So are we at fault when we associate Pete Townshend’s 1970s song “Who Are You” with crime scene investigation?

Yes, and no.

While the “who are you” question has nothing to do with figuring out who committed a crime, it DOES involve a policeman.

This song is based on a day in the life of Pete Townshend….

Pete left that bar and passed out in a random doorway in Soho (a part of New York). A policeman recognized him (“A policeman knew my name”) and being kind, woke him and and told him, “You can go sleep at home tonight (instead of a jail cell), if you can get up and walk away.” Pete’s response: “Who the f–k are you?”

Because it was the 1970s, the policeman did not try to identify the drunk Townshend with a mobile fingerprint device linked to a fingerprint identification system, or a camera linked to a facial recognition system.

Instead, the drunk Townshend questioned the authority of the policeman. Which is what you would expect from the guy who wrote the line “I hope I die before I get old.”

Speaking of which, did anybody notice that on the album cover for “Who Are You,” Keith Moon is sitting on a chair that says “Not to Be Taken Away”? Actually, they did…especially since the album was released on August 18, 1978 and Moon died on September 7.

While Moon’s death was investigated, no crime scene investigators were involved.

The five authentication factors

(Part of the biometric product marketing expert series)

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic. (You’d expect an identity content marketing expert to do that.)

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

  • Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
  • Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
  • Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
  • Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
  • Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.

Four of my identity information sources that I have created over the years, including one that you can access in the next ten seconds

How many of us keep on doing the same thing, but just use different tools to do it?

For example, I am going to provide four examples of ways…I mean, for example, I am going to list four ways in which I have disseminated identity information to various internal and external audiences over the last fifteen years. Three of these methods had restricted access and some are no longer available, but the last one, Bredemarket Identity Firm Services, is publicly available to you TODAY.

You can get to this information source in ten seconds if you like. If you’re a TL;DR kind of person, click here.

For the rest of you, read on to see how I used COMPASS (most of you haven’t heard of COMPASS), SharePoint (you’ve heard of that), email (you’ve definitely heard of that), and LinkedIn (ditto) to share information.

Take One: Using Motorola Tools

For the first identity information source, let’s go back about fifteen years, when I was a product manager at Motorola (before The Bifurcation). Motorola had its own intranet, called COMPASS, which all of us Motorolans would use to store information except when we didn’t.

Using this intranet, I created a page entitled “Biometric Industry Information,” in which I pasted links and short descriptions of publicly-available news items. I’m not sure how useful this information source was to others, but I referred to it frequently.

Eventually Motorola sold our business unit to Safran, and “Biometric Industry Information” was lost in the transition. For all I know it may be available on some Motorola Solutions intranet page somewhere, though I doubt it.

Take Two: An Industry-Standard Tool and an Expanded Focus

The second identity information source was created a few years later, when I was an employee of MorphoTrak. Two things had changed since the Motorola days:

  • MorphoTrak’s parent company Safran didn’t use the Motorola intranet solution. Instead, it used an industry-standard intranet solution, SharePoint. This was tweaked at each of the individual Safran companies and regions, but it was pretty much a standard solution.
  • The second change was in the breadth of my interests, as I realized that biometrics was only part of an identity solution. Yes, an identity solution could use biometrics, but it could also used the driver’s licenses that MorphoTrak was slated to produce (but didn’t), and other security methods besides.

So when I recreated my Motorola information source, the new one at MorphoTrak was a Microsoft SharePoint list entitled “Identity Industry Information.”

Again, I’m not sure whether others benefited from this, but I certainly did.

Take Three: Taking Over an Email List

The third iteration of my information source wasn’t created by me, but was created about a decade ago at a company known as L-1 Identity Solutions. For those who know the company, L-1 was a conglomeration of multiple small acquisitions that provided multiple biometric solutions, secure document solutions, and other products and services. Someone back then decided that a daily newsletter covering all of L-1’s markets would be beneficial to the company. This newsletter began, and continued after Safran acquired L-1 Identity Solutions and renamed it MorphoTrust.

MorphoTrust and my company MorphoTrak remained separate entities (for security reasons) until Oberthur acquired some of Safran’s businesses and formed IDEMIA. In North America, this resulted in the de facto acquisition of MorphoTrak by MorphoTrust, and some significant shifting in organizational charts and responsibilities.

As a result of these changes, I ended up taking over the daily newsletter, tweaking its coverage to better meet the needs of today, and (in pursuit of a personal annual goal) expanding its readership. (This email was NOT automatically sent to everyone in the company; you had to opt in.)

Now some may believe that email is dead and that everyone should be on Volley or Clubhouse, but email does serve a valid purpose. As a push technology, emails are provided to you every day.

OK, every five seconds.

But modern email systems (including those from Microsoft and Google) provide helpful tools to help you manage your email. This allowed people to prioritize their reading of my daily newsletter, or perhaps de-prioritize it.

Two years later IDEMIA underwent another organizational change, and I was no longer responsible for the daily newsletter. Last I heard, the daily newsletter still continues.

Take Four: Market Me, Benefit You

Eventually I left IDEMIA and started Bredemarket, and the identity industry became one of the industries that I targeted for providing Bredemarket’s services. To build myself as an identity industry authority, and to provide benefits to identity industry firms, I needed to market specifically to that segment. While my online marketing outlets were primarily focused on my website, I was also marketing via LinkedIn and Facebook. My LinkedIn marketing was primarily though the Bredemarket LinkedIn company page.

In late November, I decided to create a LinkedIn Showcase page entitled Bredemarket Identity Firm Services. While the page was initially created for other reasons, I eventually settled into a routine of sharing identity industry information via the page.

Like I’ve done one thousand times before.

I’m trying to add new content to Bredemarket Identity Firm Services on a daily basis. It’s primarily content from other sources, but sometimes my own content (such as this post) will find its way in there also. And, as in the example above, I’ll occasionally include editorial comments on others’ posts.

So if you’re on LinkedIn and would find such content useful to you, go to the showcase page and click the “Follow” button.

P.S. I have a technology showcase page also.

Identity assurance levels (IALs) and digital identity

(Part of the biometric product marketing expert series)

There is more and more talk about digital identity, especially as COVID-19 accelerates the move to contactless and remote transactions. However, there are many types of digital identity, ranging from a Colorado, Louisiana, or Oklahoma digital driver’s license to your Facebook, Google, or Microsoft ID to the online equivalent of my old Radio Shack Battery Club card.

All of these different types of digital identities suggest that some identities are more rigorous than others. For example, I’ve lost track of how many digital identities I’ve created with Google over the years, but if California ever gets around to implementing a digital driver’s license, I’ll only have one of them. (And I won’t be able to get another license in Nevada.)

In this particular case, the government IS here to help.

The U.S. National Institute of Standards and Technology has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

Interestingly, the standard assumes that pseudonymous identity can be proofed…but this requires that SOMEONE know the actual identity.

And in practice, the “physical presence” requirement of IAL3 can be met by either being “in-person,” or in a “supervised remote” case. (This is needed to make sure that I don’t register with someone else’s face, for example.)

So when considering the robustness of any digital identity scheme, it’s necessary to ascertain whether the digital identity can reliably be mapped to a real life identity. This doesn’t necessarily mean that IAL1 is bad per se; in some cases, such as my old Radio Shack Battery Club example, a robust mapping to a real life identity is NOT necessary.

But in other cases, such as a need to gain entrance to a nuclear power plant, that reliable mapping IS essential.

Someone once said that I look like this guy. By US Embassy London – https://www.flickr.com/photos/usembassylondon/27595569992/, Public Domain, https://commons.wikimedia.org/w/index.php?curid=49663171

Why I created a LinkedIn Showcase Page for Bredemarket

It was Sunday, and I was thinking about something that I wanted to communicate to a potential client in the coming week. The potential client performs work in multiple areas, and had inquired about my assisting in one of those areas.

As I thought about solutions for that one section of the potential client’s website, I began wondering how that material could be repurposed in other channels, including LinkedIn. One solution, I realized, was for the client to set up a special “showcase page” on LinkedIn that was dedicated to this one area. Content from the website could then be repurposed for the showcase page.

If you are unfamiliar with LinkedIn Showcase Pages, they “are extensions of your LinkedIn Page, designed to spotlight individual brands, business units and initiatives.”

A notable example of the use of showcase pages is Adobe. Adobe has a company page, but since Adobe provides a plethora of products and services, it would be a firehose to cover EVERYTHING on the main Adobe page. So Adobe established showcase pages, such as its page for Adobe Experience Cloud, that allowed the company to go into greater detail for that particular topic.

But this doesn’t explain why I just created a showcase page for a Bredemarket customer segment. Actually, there are two reasons.

  • While Bredemarket provides its services to identity firms, technology firms, general business, and nonprofits, it’s no secret that Bredemarket’s most extensive experience is in the identity industry. Because of my experience in biometrics and secure documents, I know the messages that identity firms need to communicate to their customers and to the public at large. Because of this, I thought I’d create a showcase page dedicated solely to the services that Bredemarket can provide to identity firms.
  • There’s another reason why I created the showcase page – the “eating your own dog food” reason. If I’m going to talk about the use of LinkedIn Showcase Pages, wouldn’t it make sense for me to create my own?

So on Sunday I created the Bredemarket Identity Firm Services page on LinkedIn; you can find it at the https://www.linkedin.com/showcase/bredemarket-identity-firm-services/ URL.

And if your interest is specifically in identity, be sure to click the Follow button.