Tag Archives: identity

Communicating benefits (not features) to identity customers (Part 3 of 3)

[Link to part 1] | [Link to part 2] | [Link to part 4]

(Updated 4/16/2022 with additional benefits information.)

NOTE: After publishing the second post in this series, but before publishing this third post, I ran across other people in the identity industry who were asking the “So what?” question, but from a strategic perspective rather than a sales enablement perspective. I discuss this in my personal JEBredCal blog, in this post.

This is a continuation of two previous posts. In the first and second posts in this series, I initially explained the difference between benefits and features, and why you sometimes have to act like an irritating two-year old to convert a feature into a benefit (the “so what?” test). I also explained how benefit statements need to be tailored to particular stakeholders, and how there can be many stakeholders even for a simple procurement.

I promised in the second post that I planned to dive into issues more specific to identity customers, such as when a two hour response time matters, when a one minute response time matters, and when a one second response time matters. Unfortunately, I spent so much time talking about all the stakeholders that I never got around to that particular question.

I promise that I’ll get into it right now.

Two hours vs. one minute vs. one second

You may remember that in the first post, I listed several things that some people thought were benefits, but were actually features. The final three items in that list were the following:

  • This product can complete its processing in less than two hours.
  • This product can complete its processing in less than a minute.
  • This product can complete its processing in less than a second.

These feature statements are very similar, yet at the same time very different. As you might have guessed, these feature statements are associated with three different products that are targeted to different markets.

Two hours: rapid DNA

I already alluded to the first of the three feature statements, two hour response time, in an earlier post in this series. Although I didn’t say so that the time, this is an important feature for the “rapid DNA” systems sold by Thermo Fisher Scientific and ANDE. These systems are used for multiple purposes, including

  • examining crime scene DNA evidence,
  • identifying deceased disaster victims, and
  • checking to see if arrested individuals are wanted for more serious crimes.

The two hour rapid DNA processing time offers different benefits for these different use cases.

  • As I previously stated in my first example of a “so what?” test, the ability to run rapid DNA at booking keeps dangerous criminals from being released by identifying those who are wanted for serious crimes.
  • A two hour processing time for crime scene evidence solves crimes more quickly, and again potentially puts dangerous criminals in jail more quickly.
  • A two hour response for disaster victim identification brings peace of mind to family members whose relatives may have perished in a disaster.

(4/16/2022: For additional information on benefits, click here.)

Depending upon the target audience, a rapid DNA vendor must tailor its benefit statements accordingly.

One minute: real time AFIS

Next, I want to look at the one minute response time, which is something that I used to talk about over twenty-five years ago when “real time AFIS” became a reality.

Because of the limitations of early computers, it used to take hours or days to compare the features from a latent fingerprint against the features of fingerprints in a database of known criminals. The old computers, even when souped up with special processing equipment such as hardware matchers and hardware fingerprint processors, took a long time to perform all of the calculations needed to compare a fingerprint’s features against hundreds of thousands of other fingerprint features.

Around the time that I joined Printrak, real time AFIS became a reality, where it became cost-effective and technologically feasible to size systems to deliver those fingerprint matching results in a minute. Today, the FBI’s Repository for Individuals of Special Concern (RISC) advertises that it can identify high-priority criminals within seconds.

At the time (1994), real time AFIS was a big deal, and the proposals that I helped to write emphasized that crimes could be solved more quickly (for latent/crime scene fingerprint searches), and individuals could be identified more quickly (for tenprint/booking searches).

One second: computer aided dispatch

To explain the third feature statement about one second response times, I have to fast forward three years to 1997, when the company then known as Printrak acquired the computer aided dispatch (CAD) and records management systems (RMS) unit of SCC Communications Corp. Printrak acquired other companies that year, but the SCC acquisition ended up being the most important, since it led to Printrak’s acquisition by Motorola.

(Allow me to go off on a tangent for a minute. When Motorola sold the biometric part of the business to Safran, it chose to retain the CAD and RMS portions, which remain part of Motorola Solutions’ portfolio today. One other tidbit: one of the key SCC people who joined Printrak at the time eventually left Motorola, and now works for rapid DNA vendor ANDE. As we Californians would say, it’s a small world after all.)

Now while there are some parallels between CAD and the systems then known as automated FINGERPRINT identification systems (AFIS), there are some key differences in the markets that the two products address. We on the AFIS side learned this the hard way when we introduced ourselves to our new colleagues.

“Hi, SCC folks, welcome to Printrak. You’re joining a company that sells REAL TIME AFIS that delivers results within one minute! Aren’t you impressed?”

A screenshot of computer-aided dispatch as being used by Toronto Fire Services. By Hillelfrei – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=88913432

The ex-SCC people responded, gently disabusing us of our pretensions to speed.

“Hello, new corporate overlords. We provide computer aided dispatch systems that send police, fire, and medical personnel to crime scenes and emergency sites as soon as possible. If our CAD systems took AN ENTIRE MINUTE to dispatch personnel, PEOPLE WOULD DIE. We use really powerful computers to get personnel dispatched in a second. Enjoy your real time AFIS…amateurs.”

So the company Printrak learned that it needed separate benefit statements, depending upon the product line the company was promoting at any given time. The CAD customers received one set of benefit statements, while the AFIS customers received a separate set.

Conclusion (finally)

In short, you have to know your customer so that you can describe benefits that are important to your customer.

And if you’re an identity product/service provider that needs help in communicating customer benefits in proposals, case studies, white papers, blog posts, and similar written output, Bredemarket can help. Contact me.

https://bredemarket.com/bredemarket-and-identity-firms/

Communicating benefits (not features) to identity customers (Part 2 of 3)

[Link to part 1] | [Link to part 3] | [Link to part 4]

(Updated 4/16/2022 with additional information on benefits.)

This is a continuation of a previous post, in which I explained the difference between benefits and features, and why you sometimes have to act like an irritating two-year old to convert a feature into a benefit (the “so what?” test).

As I promised in that previous post, I plan to dive into issues more specific to identity customers, such as when a two hour response time matters, when a one minute response time matters, and when a one second response time matters.

Who are identity customers?

Before I dive into response times, let’s explain who identity customers are, because not all identity customers are alike.

When I use the term “identity” at Bredemarket, I am referring to any technology that can be used to identify an individual. This does not just relate to biometrics (fingerprint identification, facial recognition, etc.), but to any of the five factors of authentication that can identify an individual. A physical or digital driver’s license. A fob. A secret handshake. A geographic location. Even a password.

Obviously there are a ton of customers that use identification technologies, and they care about a ton of things.

Well, what if we focus our discussion and talk about a SINGLE product, such as automated biometric identification systems (ABIS)? We can market to all ABIS customers with a single set of benefit statements, right?

Um, no.

ABIS can be sold to all sorts of different customers, ranging from local police agencies to state welfare benefit administrators to national passport issuing agencies.

Well, what if we focus our discussion and talk about a SINGLE type of customer for a single product, such as the local law enforcement agencies that buy ABIS? We can market to all local law enforcement ABIS customers with a single set of benefit statements, right?

Um, no.

If I am going to sell an ABIS to the city of Ontario, California (sorry Thales), these are the types of customers (or target audiences) that I have to cover with separate benefit statements:

By FBI – http://www.fbi.gov/news/photos, Public Domain, https://commons.wikimedia.org/w/index.php?curid=18500900
  • The field investigators who run across biometric evidence at the scene of a crime, such as a knife with a fingerprint on it or a video feed showing someone breaking into a liquor store.
  • The examiners who look at crime scene evidence and use it to identify individuals.
  • The people who capture biometrics from arrested individuals at livescan stations.
  • The information technologies (IT) people who are responsible for ensuring that Ontario, California’s biometric data is sent to San Bernardino County, the state of California, perhaps other systems such as the Western Identification Network, and the Federal Bureau of Investigation.
  • The purchasing agent who has to make sure that all of Ontario’s purchases comply with purchasing laws and regulations.
  • The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.
  • The mayor (Paul Leon as I write this), who has to deal with angry citizens asking why their catalytic converters are being stolen from their vehicles, and demanding to know what the mayor is doing about it.
  • Probably a dozen other stakeholders that I haven’t talked about yet, but who are influenced by the city’s purchasing decision.

As you can see, there are a ton of people who are going to read a proposal to provide an ABIS to a city, and they all have differing needs that need to be addressed…and different benefits that have to be emphasized.

Benefits of a feature are customer-dependent

Now let’s take one of my feature statements from my first post and try to convert it to a benefit for one or more of these stakeholders. I’m going to choose this one:

  • This product captures latent fingerprints at 1000 pixels per inch.

Right off the bat, I’ll tell you that 1000 ppi latent fingerprint capture doesn’t make a bit of difference to the majority of the stakeholders. Paul Leon isn’t going to care. The purchasing agent SHOULD care (1000 ppi data requires more storage than 500 ppi data, which translates to more cost), but probably isn’t going to know that he/she should care.

With the possible exception of the IT personnel, the only people that care about 1000 ppi capture are the examiners who use crime scene evidence and use it to identify individuals. And needless to say, the examiners that concentrate on face or iris or voice or DNA data aren’t going to care about a fingerprint capture specification.

So if I’m writing a proposal to the city of Ontario, California, I’m going to make sure that the latent fingerprint capture section of the proposal discusses my product’s ability to capture latent fingerprints at 1000 ppi.

Wait for it…

SO WHAT?

Absent the benefit of standards compliance that ensures that Ontario data can be processed by state and national systems, the chief benefit of 1000 ppi latent fingerprint capture is that it provides a higher probability that examiners can positively identify criminals and solve more crimes.

An explanation: because latent fingerprints are often of poor quality – the criminals don’t usually take the time to ensure that the fingerprint evidence they leave at crime scenes is readable – latent examiners often benefit from having higher-resolution 1000 ppi latent fingerprint images, rather than the lower-resolution 500 ppi latent fingerprint images that were common in 20th century fingerprint systems. This higher resolution can make it easier for a latent fingerprint examiner to match a latent to a criminal’s tenprint fingerprint from a previous arrest, leading to the “solve more crimes” benefit.

So you’re going to come up with separate benefit statements for examiners, separate ones for livescan operators, and separate benefit statements for each of the stakeholders. And each of these benefits will be enumerated in the section of the proposal that the individual stakeholder will read. (News flash: hardly anyone reads the entire proposal; they only read the section that pertains to them.)

(4/16/2022: For additional information on benefits, click here.)

What’s next?

Well, I never got around to my two hour vs. one minute vs. one second question, and this post is getting long, so I guess I’ll address that topic in a third post.

In the meantime, if you’re an identity product/service provider that needs help in communicating customer benefits in proposals, case studies, white papers, blog posts, and similar written output, Bredemarket can help. Contact me.

Communicating benefits (not features) to identity customers (Part 1 of 3)

[Link to part 2] | [Link to part 3] | [Link to part 4]

(Updated 4/16/2022 and 4/18/2022 with additional benefits and customer focus information.)

I wanted to take some time to specifically explain how to communicate benefits to identity customers. And I’ll take a lot of time, addressing the topic in three planned posts.

What are benefits?

When you write a proposal, case study, or other document that is targeted to identity customers, you need to communicate the benefits to the target audience.

But what are benefits?

It turns out that many people don’t know what benefits are.

Over the years I’ve had occasion to ask people to suggest some benefits to include in a document. Sometimes I’ve received responses that are similar to these:

  • This product is dual-purpose and supports both detection of speeders and detection of red light runners.
  • This product captures latent fingerprints at 1000 pixels per inch.
  • This product was a top tier performer in the recent NIST tests.
  • This product can complete its processing in less than two hours.
  • This product can complete its processing in less than a minute.
  • This product can complete its processing in less than a second.

These are all nice statements, but these aren’t BENEFIT statements.

These are statements of FEATURES.

The last three examples illustrate the issue. In certain markets, a two hour response time is very impressive In other markets, a one minute response time will result in getting somebody killed. (I’ll address the differences later.)

In my recent post about case studies, I linked to a Hubspot article that explained the difference between benefits and features. I didn’t dive into that article at the time, but I’ll do so now. Here is how Kayla Carmichael’s article explains the difference between the two.

Features describe what the product does, setting it apart from the competition. Benefits describe how the product can help the audience. For marketing messages, it’s typically better to go with a benefits-heavy approach, because benefits are what makes consumers purchase.

The “so what?” test

As you can see, benefits are customer-centric. In another Hubsport article, Aja Frost notes that one way to tell whether you’re dealing with a benefit or a feature is to ask the question “So what?”

(4/18/2022: For additional information on customer focus, click here.)

Let’s return to my first example above, “This product is dual-purpose and supports both detection of speeders and detection of red light runners.” Even if you’re a road safety customer, you may not care whether a particular device is dual-purpose or not.

Maybe you don’t care about both issues at a particular location on the road. If the road safety camera is placed on an interstate highway, red lights are obviously not an issue.

Maybe you don’t care about one of the issues at all. Perhaps local laws don’t allow for unmonitored devices that detect speeders.

Perhaps your agency doesn’t care if you have to put two devices—one for speed detection, one for red light detection—at the same location.

So if you encounter a statement that isn’t a benefit, you have to act like an irritating two-year old and ask “so what?” until you actually get a benefit statement.

By Mindaugas Danys from Vilnius, Lithuania, Lithuania – scream and shout, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=44907034

This product can complete its processing in less than two hours.

SO WHAT?

“This product can complete its processing while the arrestee is still in custody, before the suspect is released.”

SO WHAT?

“This product can detect whether the arrestee is wanted for more serious charges while the arrestee is still in custody.”

SO WHAT?

“This product can identify arrestees who have outstanding warrants for murder before they are released to murder more people.”

That’s better.

(4/16/2022: For additional information on benefits, click here.)

What’s next?

Anyway, that’s the general concept of benefits vs. features. In a future post, I’ll dive into issues more specific to identity customers, such as when a two hour response time matters, when a one minute response time matters, and when a one second response time matters.

These differences make all the…um difference to identity customers.

Stay tuned.

In the meantime, if you’re an identity product/service provider that needs help in communicating customer benefits in proposals, case studies, white papers, blog posts, and similar written output, Bredemarket can help. Contact me.

The REAL ID deadline has been extended…again

Three days ago, I read a news item on LinkedIn that stated that the REAL ID deadline might be extended.

I reacted.

My response is a one-word response: “AGAIN?”

I admit to a bit of frustration. For years, some states resisted REAL ID because of federalism concerns. (When MorphoTrak was briefly trying to win driver’s license contracts by competing against our sibling MorphoTrust, I remember one state RFP that explicitly stated that the state would NOT comply with the REAL ID mandate.)

Finally, after hemming and hawing, all of the states agreed to become REAL ID compliant (15 years after the original mandate). Then, as people rushed to get REAL IDs, #covid19 hit and the driver’s license offices closed.

The offices are now open, but some people STILL haven’t gotten REAL ID.

Prediction: if the deadline is extended to 2022, significant numbers of people won’t have REAL IDs by 2022.

Well, I will never get the chance to see if my prediction was accurate, because in the end, the REAL ID deadline was NOT extended to 2022.

It was extended to 2023, according to sources. (As I write this, the DHS website has not yet been updated.)

The Department of Homeland Security will delay the requirement for air travelers to have a Real ID-compliant form of identification, pushing it back 19 months, DHS Secretary Alejandro Mayorkas said Tuesday.

The deadline was supposed to be Oct. 1, but it’s now being postponed until May 3, 2023. 

Here’s the rationale that Secretary Mayorkas provided.

“Extending the Real ID full enforcement deadline will give states needed time to reopen their driver’s licensing operations and ensure their residents can obtain a Real ID-compliant license or identification card.”

Of course, since may people object to REAL ID on principle, it could be extended again and again for ANOTHER fifteen-plus years and people STILL won’t get it.

How many vaccine certificates (not health passports) will citizens in Africa and elsewhere need to do anything?

This is a follow-up to my April 9 post, with a slight correction. I need to stop using the term “health passport,” and should instead use the term “vaccine certificate.” So starting now I’m doing that. Although I still think passports are cool, even if vaccine certificates aren’t passports.

An Ottoman passport (passavant) issued to Russian subject dated July 24, 1900. By FurkanYalcin3 – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=27699398

It’s also a follow-up to my February 16 post, which noted that there are a whole bunch of health pa- I mean vaccine certificates that are being marketed by various companies and organizations.

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed.

Obviously it takes a while to solve such issues, so you can’t expect that all of this would be resolved by April.

And you’re right.

As Chris Burt of FindBiometrics recently noted, the whole vaccine certificate issue was recently discussed by a panel at an ID4Africa webinar. Now even if you haven’t heard of the organization ID4Africa, you can reasonably conclude that the organization is in favor of…IDs for Africa.

And even they are a bit skittish about vaccine passports, at least for now.

Questions around how these digital health certificates should work, where and whether they should be used, and what can be done to mitigate the risks associated with them remain, and were explored by an international panel of experts representing major global organizations convened by ID4Africa. They found that too much remains unknown to inform final decisions…

The panel warned against rushing headlong into adoption of vaccine certificates without a better understanding of what they were, how they would work, and how individual information would be protected. And there are major questions all over the “how they would work” question, including the long-standing question of how vaccine certificates would be interoperable.

It quickly emerged that while several groups represented are working on similar projects, there are some key differences in goals.

The WHO is building specification which are intended to create digital records not for crossing borders or proving health status to any third party, but merely for continuity of care. Its working group also includes ICAO, IATA, and ISO, each of which have their own applications in mind for digital health credentials.

See the list above.

And even if you just look at the WHO’s project, it’s still not finalized. The present timeframe calls for a version 1.0 of its specification by the end of June, but timelines sometimes slip.

Chris Burt details many other issues in his article, but for purposes of my post, it’s relevant to say that it will be months if not years before we will see any sort of interoperability between vaccine certificates.

How many health passports will convention attendees need to revisit Las Vegas?

Two years ago, this picture wouldn’t look strange to me. Now it looks unusual.

ISC West, Las Vegas Nevada, 2017. https://twitter.com/JEBredCal/status/849649679016927233

I took this picture on the morning of April 5, 2017. I had just flown from Ontario, California to Las Vegas, Nevada to attend the ISC West show for a day, and would fly home that evening.

The idea of gathering thousands of businesspeople together in Las Vegas for a day obviously wasn’t unusual in 2017. While many think of Las Vegas as a playground, a lot of work goes on there also, and Las Vegas has superb facilities to host conventions and trade shows. So superb, in fact, that Oracle announced in late 2019 that it was moving its annual Oracle OpenWorld conference from San Francisco (up the road from Oracle’s headquarters) to Las Vegas.

But then 2020 happened.

One month after Oracle started planning for the Las Vegas debut of Oracle OpenWorld, the 2020 Consumer Electronics Show took place in Las Vegas. Unbeknownst to the 170,000 attendees at that show, they were unknowingly spreading a new illness, COVID-19. They did this by doing things that people always did at trade shows, including standing next to each other, shaking hands, and (in business-appropriate situations) embracing each other.

Of course, the CES attendees didn’t know that they were spreading coronavirus, and wouldn’t know this for a few months until after they had returned home to Santa Clara County, California and to other places all around the world. By the time that CES had been identified as a super spreader event, Las Vegas convention activities were already shutting down. The 2020 version of ISC West had already been postponed from March to July, was then re-postponed from July to October, and would eventually be cancelled entirely. Oracle OpenWorld’s September debut in Las Vegas was similarly cancelled. As other companies cancelled their Las Vegas conferences, the city went into a tailspin. (Anecdotally, one of my in-laws is a Teamster who works trade shows in Las Vegas and was directly affected by this.)

Today, one year after the economies of Las Vegas and other cities shut down, we in the United States are optimistically hoping that we have turned a corner. But it’s possible that we will not completely return to the way things were before 2020.

For example, before attending a convention in Las Vegas in the future, you might need to present a physical or digital “health passport” indicating a negative COVID-19 test and/or a COVID-19 vaccination. While governments may be reluctant to impose such requirements on private businesses, private businesses may choose to impose such requirements on themselves – in part, to reduce liability risk. After all, a convention organizer doesn’t want attendees to get sick at their conventions.

As I noted almost two months ago, there are a number of health passport options that are either available or being developed. This is both a good thing and a bad thing. It’s a bad thing for reasons that I noted in February:

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed….

But the wealth of health passports IS a problem if you’re a business. Imagine being at an airport gate and asking a traveler for a Clear Health Pass, and getting an angry reply from the traveler that he already has a VeriFLY pass and that the airline is infringing upon the traveler’s First and Second Amendment rights by demanding some other pass.

When I wrote this I wasn’t even thinking about convention attendance. In a worst-case scenario, Jane Conventioneer may need one health pass to board her flight, another health pass to enter her hotel, and a third health pass to get into the convention itself.

This could potentially be messier than I thought.

I really want to know (if this song is truly related to crime scene investigation)

I was performing some website maintenance this afternoon, and decided to add a page dedicated to Bredemarket’s services for identity firms. I was trying to think of an introductory illustration to go with the page, since the town crier can only go so far. So, claiming fair use, I decided that this image made perfect sense.

“Who Are You” by The Who. Fair use, https://en.wikipedia.org/w/index.php?curid=11316153

Now while use of the “Who Are You” album cover on a Bredemarket identity page makes perfect sense to me, it may not make sense to 6.9 billion other people. So I guess I should explain my line of thinking.

The link between human identification and the song “Who Are You” was established nearly two decades ago, when the television show “C.S.I. Crime Scene Investigation” started airing on CBS. TV shows have theme songs, and this TV show adopted a (G-rated) excerpt from the Who song “Who Are You” as its theme song. After all, the fictional Las Vegas cops were often tasked with identifying dead bodies or investigating crime scene evidence, so they would be expected to ask the question “who are you” a lot.

Which reminds me of two stories:

  • I actually knew a real Las Vegas crime scene investigator (Rick Workman), but by the time I knew him he was working for the neighboring city of Henderson.
  • CSI spawned a number of spinoffs, including “CSI:Miami.” When I was a Motorola product manager, CSI:Miami contacted us to help with a storyline involving a crime scene palm print. While Motorola software was featured in the episode, the GUI was jazzed up a bit so that it would look good on TV.

So this song (and other Who songs for the CSI spinoffs) is indelibly associated with police crime scene work.

But should it be?

After all, people think that “When a Man Loves a Woman” is a love song based upon its title. But the lyrics show that it’s not a love song at all.

When a man loves a woman
Down deep in his soul
She can bring him such misery
If she is playin’ him for a fool

So are we at fault when we associate Pete Townshend’s 1970s song “Who Are You” with crime scene investigation?

Yes, and no.

While the “who are you” question has nothing to do with figuring out who committed a crime, it DOES involve a policeman.

This song is based on a day in the life of Pete Townshend….

Pete left that bar and passed out in a random doorway in Soho (a part of New York). A policeman recognized him (“A policeman knew my name”) and being kind, woke him and and told him, “You can go sleep at home tonight (instead of a jail cell), if you can get up and walk away.” Pete’s response: “Who the f–k are you?”

Because it was the 1970s, the policeman did not try to identify the drunk Townshend with a mobile fingerprint device linked to a fingerprint identification system, or a camera linked to a facial recognition system.

Instead, the drunk Townshend questioned the authority of the policeman. Which is what you would expect from the guy who wrote the line “I hope I die before I get old.”

Speaking of which, did anybody notice that on the album cover for “Who Are You,” Keith Moon is sitting on a chair that says “Not to Be Taken Away”? Actually, they did…especially since the album was released on August 18, 1978 and Moon died on September 7.

While Moon’s death was investigated, no crime scene investigators were involved.

The five authentication factors

(Part of the biometric product marketing expert series)

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic. (You’d expect an identity content marketing expert to do that.)

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

  • Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
  • Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
  • Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
  • Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
  • Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.

Four of my identity information sources that I have created over the years, including one that you can access in the next ten seconds

How many of us keep on doing the same thing, but just use different tools to do it?

For example, I am going to provide four examples of ways…I mean, for example, I am going to list four ways in which I have disseminated identity information to various internal and external audiences over the last fifteen years. Three of these methods had restricted access and some are no longer available, but the last one, Bredemarket Identity Firm Services, is publicly available to you TODAY.

You can get to this information source in ten seconds if you like. If you’re a TL;DR kind of person, click here.

For the rest of you, read on to see how I used COMPASS (most of you haven’t heard of COMPASS), SharePoint (you’ve heard of that), email (you’ve definitely heard of that), and LinkedIn (ditto) to share information.

Take One: Using Motorola Tools

For the first identity information source, let’s go back about fifteen years, when I was a product manager at Motorola (before The Bifurcation). Motorola had its own intranet, called COMPASS, which all of us Motorolans would use to store information except when we didn’t.

Using this intranet, I created a page entitled “Biometric Industry Information,” in which I pasted links and short descriptions of publicly-available news items. I’m not sure how useful this information source was to others, but I referred to it frequently.

Eventually Motorola sold our business unit to Safran, and “Biometric Industry Information” was lost in the transition. For all I know it may be available on some Motorola Solutions intranet page somewhere, though I doubt it.

Take Two: An Industry-Standard Tool and an Expanded Focus

The second identity information source was created a few years later, when I was an employee of MorphoTrak. Two things had changed since the Motorola days:

  • MorphoTrak’s parent company Safran didn’t use the Motorola intranet solution. Instead, it used an industry-standard intranet solution, SharePoint. This was tweaked at each of the individual Safran companies and regions, but it was pretty much a standard solution.
  • The second change was in the breadth of my interests, as I realized that biometrics was only part of an identity solution. Yes, an identity solution could use biometrics, but it could also used the driver’s licenses that MorphoTrak was slated to produce (but didn’t), and other security methods besides.

So when I recreated my Motorola information source, the new one at MorphoTrak was a Microsoft SharePoint list entitled “Identity Industry Information.”

Again, I’m not sure whether others benefited from this, but I certainly did.

Take Three: Taking Over an Email List

The third iteration of my information source wasn’t created by me, but was created about a decade ago at a company known as L-1 Identity Solutions. For those who know the company, L-1 was a conglomeration of multiple small acquisitions that provided multiple biometric solutions, secure document solutions, and other products and services. Someone back then decided that a daily newsletter covering all of L-1’s markets would be beneficial to the company. This newsletter began, and continued after Safran acquired L-1 Identity Solutions and renamed it MorphoTrust.

MorphoTrust and my company MorphoTrak remained separate entities (for security reasons) until Oberthur acquired some of Safran’s businesses and formed IDEMIA. In North America, this resulted in the de facto acquisition of MorphoTrak by MorphoTrust, and some significant shifting in organizational charts and responsibilities.

As a result of these changes, I ended up taking over the daily newsletter, tweaking its coverage to better meet the needs of today, and (in pursuit of a personal annual goal) expanding its readership. (This email was NOT automatically sent to everyone in the company; you had to opt in.)

Now some may believe that email is dead and that everyone should be on Volley or Clubhouse, but email does serve a valid purpose. As a push technology, emails are provided to you every day.

OK, every five seconds.

But modern email systems (including those from Microsoft and Google) provide helpful tools to help you manage your email. This allowed people to prioritize their reading of my daily newsletter, or perhaps de-prioritize it.

Two years later IDEMIA underwent another organizational change, and I was no longer responsible for the daily newsletter. Last I heard, the daily newsletter still continues.

Take Four: Market Me, Benefit You

Eventually I left IDEMIA and started Bredemarket, and the identity industry became one of the industries that I targeted for providing Bredemarket’s services. To build myself as an identity industry authority, and to provide benefits to identity industry firms, I needed to market specifically to that segment. While my online marketing outlets were primarily focused on my website, I was also marketing via LinkedIn and Facebook. My LinkedIn marketing was primarily though the Bredemarket LinkedIn company page.

In late November, I decided to create a LinkedIn Showcase page entitled Bredemarket Identity Firm Services. While the page was initially created for other reasons, I eventually settled into a routine of sharing identity industry information via the page.

Like I’ve done one thousand times before.

I’m trying to add new content to Bredemarket Identity Firm Services on a daily basis. It’s primarily content from other sources, but sometimes my own content (such as this post) will find its way in there also. And, as in the example above, I’ll occasionally include editorial comments on others’ posts.

So if you’re on LinkedIn and would find such content useful to you, go to the showcase page and click the “Follow” button.

P.S. I have a technology showcase page also.

Identity assurance levels (IALs) and digital identity

(Part of the biometric product marketing expert series)

There is more and more talk about digital identity, especially as COVID-19 accelerates the move to contactless and remote transactions. However, there are many types of digital identity, ranging from a Colorado, Louisiana, or Oklahoma digital driver’s license to your Facebook, Google, or Microsoft ID to the online equivalent of my old Radio Shack Battery Club card.

All of these different types of digital identities suggest that some identities are more rigorous than others. For example, I’ve lost track of how many digital identities I’ve created with Google over the years, but if California ever gets around to implementing a digital driver’s license, I’ll only have one of them. (And I won’t be able to get another license in Nevada.)

In this particular case, the government IS here to help.

The U.S. National Institute of Standards and Technology has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

Interestingly, the standard assumes that pseudonymous identity can be proofed…but this requires that SOMEONE know the actual identity.

And in practice, the “physical presence” requirement of IAL3 can be met by either being “in-person,” or in a “supervised remote” case. (This is needed to make sure that I don’t register with someone else’s face, for example.)

So when considering the robustness of any digital identity scheme, it’s necessary to ascertain whether the digital identity can reliably be mapped to a real life identity. This doesn’t necessarily mean that IAL1 is bad per se; in some cases, such as my old Radio Shack Battery Club example, a robust mapping to a real life identity is NOT necessary.

But in other cases, such as a need to gain entrance to a nuclear power plant, that reliable mapping IS essential.

Someone once said that I look like this guy. By US Embassy London – https://www.flickr.com/photos/usembassylondon/27595569992/, Public Domain, https://commons.wikimedia.org/w/index.php?curid=49663171