Tag Archives: nist

Why is Morph Detection Important?

We’re all familiar with the morphing of faces from subject 1 to subject 2, in which there is an intermediate subject 1.5 that combines the features of both of them. But did you know that this simple trick can form the basis for fraudulent activity?

Back in the 20th century, morphing was primarily used for entertainment purposes. Nothing that would make you cry, even though there were shades of gray in the black or white representations of the morphed people.

Godley and Creme, “Cry.”
Michael Jackson, “Black or White.” (The full version with the grabbing.) The morphing begins about 5 1/2 minutes into the video.

But Godley, Creme, and Jackson weren’t trying to commit fraud. As I’ve previously noted, a morphed picture can be used for fraudulent activity. Let me illustrate this with a visual example. Take a look at the guy below.

From NISTIR 8584.

Does this guy look familiar to you? Some of you may think he kinda sorta looks like one person, while others may think he kinda sorta looks like a different person.

The truth is, the person above does not exist. This is actually a face morph of two different people.

From NISTIR 8584.

Now imagine a scenario in which a security camera is patrolling the entrance to the Bush ranch in Crawford, Texas. But instead of having Bush’s facial image in the database, someone has tampered with the database and inserted the “Obushama” image instead…and that image is similar enough to Barack Obama to allow Obama to fraudulently enter Bush’s ranch.

Or alternative, the “Obushama” image is used to create a new synthetic identity, unconnected to either of the two.

But what if you could detect that a particular facial image is not a true image of a person, but some type of morph attempt? NIST has a report on this:

“To address this issue, the National Institute of Standards and Technology (NIST) has released guidelines that can help organizations deploy and use modern detection methods designed to catch morph attacks before they succeed.”

The report, “NIST Interagency Report NISTIR 8584, Face Analysis Technology Evaluation (FATE) MORPH Part 4B: Considerations for Implementing Morph Detection in Operations,” is available in PDF form at https://doi.org/10.6028/NIST.IR.8584.

And a personal aside to anyone who worked for Safran in the early 2010s: we’re talking about MORPH detection, not MORPHO detection. I kept on mistyping the name as I wrote this.

An IMEI Number Is NOT Unique to Each Mobile Phone

(Imagen 3)

Have you ever used the phrase “sort of unique”? Something is either unique or it isn’t. And International Mobile Equipment Identity (IMEI) numbers fail the uniquness test.

Claims that International Mobile Equipment Identity (IMEI) numbers are unique

Here’s what a few companies say about the IMEI number on each mobile phone. Emphasis mine.

  • Thales: “The IMEI (International Mobile Equipment Identity) number is a unique 15-digit serial number for identifying a device; every mobile phone in the world has one.”
  • Verizon: “An IMEI stands for International Mobile Equipment Identity. Think of it as your phone’s fingerprint — it’s a 15-digit number unique to each device.”
  • Blue Goat Cyber: “In today’s interconnected world, where our smartphones have become an indispensable part of our lives, it is essential to understand the concept of IMEI – the International Mobile Equipment Identity. This unique identifier plays a crucial role in various aspects of our mobile devices, from security to tracking and repairs.”

These and other descriptions of the IMEI prominently use the word “unique.” Not “sort of unique,” but “unique.”

Which means (for non-person entities, just like persons) that if someone can find a SINGLE reliable instance of more than one mobile phone having the same IMEI number, then the claim of uniqueness falls apart completely.

Examples of non-uniqueness of IMEI numbers on mobile phones

People who claim IMEI uniqueness obviously didn’t read my Bredemarket blog post of April 1, in which I WASN’T fooling.

  • I talked about an incident in India in which a cyber fraud operation “specialised in IMEI cloning.”
  • And an incident in Canada in which someone was scammed out of C$1,000, even though the phone had a valid IMEI.

IMEICheck.net even tells you (at a high level) how to clone an IMEI. It’s not easy, but it’s not impossible.

“In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.

“The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning.”

So don’t claim an IMEI is unique when there is evidence to the contrary. As I said in my April post:

NOTHING provides 100.00000% security. Not even an IMEI number.”

What does this mean for your identity product?

If you offer an identity product, educate your prospects and avoid unsupportable claims. While a few prospects may be swayed by “100%” claims, the smarter ones will appreciate more supportable statements, such as “Our facial recognition algorithm demonstrated a 0.0022 false non-match rate in the mugshot:mugshot NIST FRTE 1:1 laboratory testing.”

When you are truthful in educating your prospects, they will (apologizes in advance for using this overused word) trust you and become more inclined to buy from you.

If you need help in creating content (blog posts, case studies, white papers, proposals, and many more), work with Bredemarket to create the customer-focused content you need. Book a free meeting with me.

Stop losing prospects! Use Bredemarket content for tech marketers

What is the Proper Identity Assurance Level (IAL) for Employer Identification Number (EIN) Assignment?

(Imagen 4)

In the latest Know Your Business brouhaha, the Treasury Inspector General for Tax Administration (TIGTA) has questioned some potential gaps in the assignment of an Employer Identification Number, or EIN.

It seems that some so-called “businesses” are using an EIN as a facade for illegal activity…and insufficient identity assurance is preventing the fraudsters from being caught.

Obtaining Employer Identification Numbers to commit tax fraud

What is an EIN? In the same way that U.S. citizens have Social Security Numbers, U.S. businesses have Employer Identification Numbers. It’s not a rigorous process to get an EIN; heck, Bredemarket has one.

But maybe it needs to be a little more rigorous, according to TIGTA.

“EINs are targeted and used by unscrupulous individuals to commit fraud. In July 2021, we reported that there were hundreds of potentially fraudulent claims for employer tax credits….Further, in April 2024, our Office of Investigations announced that it helped prevent $3.5 billion from potentially being paid to fraudsters. Our special agents identified a scheme where individuals obtained an EIN for the sole purpose of filing business tax returns to improperly claim pandemic-related tax credits.”

Yes, that’s $3.5 billion with a B. That’s a lot of fraud.

Perhaps the pandemic has come and gone, but the temptation to file fraudulent business tax returns with an improperly-obtained EIN continues.

Facade.

Enter the Identity Assurance Level

So how does the Internal Revenue Service (IRS) gatekeep the assignment of EINs?

By specifying an Identity Assurance Level (IAL) before assigning an EIN.

Specifically, Identity Assurance Level 1.

“In December 2024, the IRS completed the annual reassessment of the Mod IEIN system. The IRS rated the identity proofing and authentication requirements at Level 1 (the same level as the initial assessment in January 2020).”

IAL1 doesn’t “assure” anything…except continued tax fraud

If you’ve read the Bredemarket blog or other biometric publications, you know that IAL1 is, if I may use a technical term, a “nothingburger.” The National Institute of Standards and Technology (NIST) says this about IAL1:

“There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self-asserted attributes are neither validated nor verified.”

If that isn’t a shady way to identity a business, I don’t know what is.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

Would IAL2 or IAL3 be better for EIN assignment?

These days it’s probably unreasonable to require every business to use Identity Assurance Level 3 (discussed in the Bredemarket post “Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough“) to obtain an EIN. As a reminder, IAL3 requires either in-person or supervised proof of identity.

But I agree with TIGTA’s assertion that Identity Assurance Level 2, with actual evidence of the real-world identity, should be the minimum.

Does your firm offer an IAL2/IAL3 product?

And if your identity/biometric firm offers a product that conforms to IAL2 or IAL3, and you need assistance creating product marketing content, talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough

(Picture designed by Freepik.)

(Part of the biometric product marketing expert series)

I’ve talked about Identity Assurance Levels 1, 2, and 3 on several occasions. Most notably regarding Login.gov’s initial failure to adhere to Identity Assurance Level 2 (IAL2). (Old news; after the pilot, Login.gov is now certified for IAL2.)

But as usually happens, IAL2 is yesterday’s news. Because biometric tech always gets harder better faster stronger.

Refresher on IAL1, IAL2…and IAL 3

Let’s review the three identity assurance levels.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.

When do you need IAL3? Mitek’s Adam Bacia clarifies:

“IAL3 is reserved for high-risk environments such as sensitive government services.”

How are solutions approved for a particular Identity Assurance Level?

Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)

But I doubt you would, um, trust my declaration.

Enter the Kantara Initiative, which manages an Identity Assurance Approval Process. For our purposes, we want to focus on the NIST 800-63 rev.3 class of approval:

“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

“Assurance Levels: IAL2, IAL3; AAL2, AAL3; FAL2, FAL3”

  • You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
  • It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
  • And you can also see that it offers approvals for FAL2 and FAL3. I’ve never discussed Federation Assurance Levels (FALs) before.

Component Services IAL2 approvals…and an IAL3 approval

Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.

With one exception.

“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”

So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.

Trust Swiftly has also designed a remote IAL3 solution, but I couldn’t find Trust Swiftly on the Kantara Initiative’s Trust Status List. Perhaps it was processed under another accredited assessor.

But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?

Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

What is a Fingerprint Ridge Ending?

(Image from NIST)

(Part of the biometric product marketing expert series)

If you hear a fingerprint person discussing a “ridge ending,” the definition is pretty simple.

“This minutia illustrates an abrupt end to a continuous ridge path.”

And if you think of fingerprint ridges as black lines on a white background, then a ridge ending is the exact opposite of a bifurcation.

And I wrote this post to prove…a point.

FBI, DoD, DHS, and Other Biometric Standards

(Imagen 4)

When I started in biometrics 30 years ago, the most important operational biometric standard to me was what was then called the Electronic Fingerprint Transmission Specification or EFTS, published by the Department of Justice’s Federal Bureau of Investigation (FBI). 

Record types from the 1993 ANSI/NIST standard.

Unlike the ANSI/NIST biometric data interchange standard, the EFTS can actually be used out of the box to transmit data. The ANSI/NIST standard doesn’t define any “Type 2” fields, nor does it define any “types of transactions” (TOTs). EFTS did.

Other standards

But the EFTS, now the FBI’s Electronic Biometric Transmission Specification or EBTS (downloadable here), isn’t the only biometric transmission standard derived from ANSI/NIST.

  • State police agencies have their own law enforcement transmission standards. Here’s New York’s version (PDF).
  • Other U.S. federal agencies such as the U.S. Departments of Defense and Homeland Security have transmission standards.
  • Other countries have their own transmission standards.
  • Multinational agencies such as INTERPOL have their own transmission standards.

Luckily all the different standards have some basic similarities, but if you have a mobile biometric device that must submit to DOJ and DoD and DHS, you need to switch to the proper profile for each submission.

Last week I downloaded two different standards so I could understand the TOTs. I would have downloaded a third, but the agency restricts its distribution.

Word up

But I will tell you the biggest frustration I have with the standards.

In the EBTS and some other standards, there is a type of transaction referred to as “Criminal Ten-Print Submission (No Answer Necessary).” The abbreviation for this TOT is CNA.

Microsoft Word in default mode auto-corrects this from CNA to CAN.

Imagen 4.

CMOs, I can help you

But I’ve overcome this frustration over 30 years of immersing myself in all things biometric-translation related. This experience is benefiting a Bredemarket client that communicates with end customers regarding many of these standards.

Can my experience benefit you as your organization produces content, proposal, and analysis materials on a deadline? If Bredemarket can help you catch up or get ahead, let’s talk.

Stop losing prospects! Use Bredemarket content for tech marketers
Tech marketers, are you afraid?

What is a Fingerprint Bifurcation?

(Image from NIST)

(Part of the biometric product marketing expert series)

If you hear a fingerprint person discussing a “bifurcation,” the definition is pretty simple.

“The point at which one friction ridge divides into two friction ridges.”

And if you think of fingerprint ridges as black lines on a white background, then a bifurcation is the exact opposite of a ridge ending.

The fingerprint image is from an appendix to the National Institute of Standards and Technology’s 2003 Fingerprint Vendor Technology Evaluation (FpVTE).

Yeah, THAT FpVTE. I remember it well from my days at Motorola…not a “top 3” vendor.

Imagen 4.

Worries About the Certified Communist Products List

(Imagen 4)

(Part of the biometric product marketing expert series)

How many of you have heard of the Certified Products List (CPL)?

The CPL’s vendor coverage

This list, part of the FBI’s Biometric Specifications website (FBI Biospecs), contains fingerprint card printers, fingerprint card scan systems, identification flats systems, live scan systems, mobile ID devices, and other products. Presence on the CPL indicates that the product complies with a relevant image quality specification such as Appendix F of the Electronic Biometric Transmission Specification.

The Certified Products List has existed since the 1990s and includes a number of products with which I am familiar. These products come from companies past and present, including 3M Cogent, Aware, Biometrics4All, Cross Match, DataWorks Plus, IDEMIA Identity & Security France, Identicator, Mentalix, Morpho, Motorola, NEC Technologies, Printrak, Sagem Defense Securite, Thales, and many others.

As of June 26, 2025, it also references companies such as Shenzhen Interface Cognition Technology Co., Ltd. and Shenzhen Zhi Ang Science and Technology Co., Ltd.

A strongly worded letter

Those and other listings caused heartburn for the bipartisan Members of the U.S. House of Representatives Select Committee on the Chinese Communist Party.

So they sent a strongly worded letter.

“We write to respectfully urge the FBI to put an end to its ongoing certification of products from Chinese military-linked and surveillance companies—including companies blacklisted or red-flagged by the U.S. government—that could be used to spy on Americans, strengthen the repressive surveillance state of the People’s Republic of China (PRC), and otherwise threaten U.S. national security.”

Interestingly enough, they make a big deal of Hikvision products on the list, but I searched the CPL multiple times and found no Hikvision products.

The CPL’s purpose

And it’s important to note the FBI’s own caveat about the CPL:

The Certified Product List (CPL) provides users with a list of products that have been tested and are in compliance with Next Generation Identification image quality specifications (IQS) regarding the capture of friction ridge images. Specifications and standards other than image quality may still need to be met. Appearance on the CPL is not, and should not be construed as, an FBI endorsement, nor should it be relied upon for any requirement beyond IQS. Users should contact their State CJIS Systems Officer (CSO) or Information Security Officer (ISO) to ensure compliance with the necessary policies and/or guidelines.

In other words, the ONLY purpose of the CPL is to indicate whether the products in question meet technology standards. It has nothing to do with export controls or any other criteria that any law enforcement agency needs to follow when buying a product.

What about the U.S. Department of Commerce?

But the FBI isn’t the only agency “promoting” Chinese biometrics.

Wait until the Select Committee discovers the Department of Commerce’s NIST FRTE lists, including the FRTE 1:1 and FRTE 1:N lists. The tops of these lists (previously known as FRVT) include many Chinese companies.

And actually, the FRTE testing includes facial recognition products that inspired U.S. export bans. Fingerprint devices are harder to use to repress people.

What next?

What happens if the concern extends beyond China, to products produced in France and products produced in Canada?

Regarding the strongly worded letter, Biometric Update added one detail:

“As of this writing, the FBI has not issued a public response. Whether the bureau will move to decertify the flagged companies or push back on the committee’s recommendations remains to be seen. But with multiple national security statutes already in place, and Congress signaling a willingness to legislate further, the days of quiet certification for foreign adversary-linked tech firms may be numbered.”