Tag Archives: nist

Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough

(Picture designed by Freepik.)

(Part of the biometric product marketing expert series)

I’ve talked about Identity Assurance Levels 1, 2, and 3 on several occasions. Most notably regarding Login.gov’s initial failure to adhere to Identity Assurance Level 2 (IAL2). (Old news; after the pilot, Login.gov is now certified for IAL2.)

But as usually happens, IAL2 is yesterday’s news. Because biometric tech always gets harder better faster stronger.

Refresher on IAL1, IAL2…and IAL 3

Let’s review the three identity assurance levels.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.

When do you need IAL3? Mitek’s Adam Bacia clarifies:

“IAL3 is reserved for high-risk environments such as sensitive government services.”

How are solutions approved for a particular Identity Assurance Level?

Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)

But I doubt you would, um, trust my declaration.

Enter the Kantara Initiative, which manages an Identity Assurance Approval Process. For our purposes, we want to focus on the NIST 800-63 rev.3 class of approval:

“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

“Assurance Levels: IAL2, IAL3; AAL2, AAL3; FAL2, FAL3”

  • You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
  • It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
  • And you can also see that it offers approvals for FAL2 and FAL3. I’ve never discussed Federation Assurance Levels (FALs) before.

Component Services IAL2 approvals…and an IAL3 approval

Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.

With one exception.

“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”

So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.

Trust Swiftly has also designed a remote IAL3 solution, but I couldn’t find Trust Swiftly on the Kantara Initiative’s Trust Status List. Perhaps it was processed under another accredited assessor.

But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?

Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

What is a Fingerprint Ridge Ending?

(Image from NIST)

(Part of the biometric product marketing expert series)

If you hear a fingerprint person discussing a “ridge ending,” the definition is pretty simple.

“This minutia illustrates an abrupt end to a continuous ridge path.”

And if you think of fingerprint ridges as black lines on a white background, then a ridge ending is the exact opposite of a bifurcation.

And I wrote this post to prove…a point.

FBI, DoD, DHS, and Other Biometric Standards

(Imagen 4)

When I started in biometrics 30 years ago, the most important operational biometric standard to me was what was then called the Electronic Fingerprint Transmission Specification or EFTS, published by the Department of Justice’s Federal Bureau of Investigation (FBI). 

Record types from the 1993 ANSI/NIST standard.

Unlike the ANSI/NIST biometric data interchange standard, the EFTS can actually be used out of the box to transmit data. The ANSI/NIST standard doesn’t define any “Type 2” fields, nor does it define any “types of transactions” (TOTs). EFTS did.

Other standards

But the EFTS, now the FBI’s Electronic Biometric Transmission Specification or EBTS (downloadable here), isn’t the only biometric transmission standard derived from ANSI/NIST.

  • State police agencies have their own law enforcement transmission standards. Here’s New York’s version (PDF).
  • Other U.S. federal agencies such as the U.S. Departments of Defense and Homeland Security have transmission standards.
  • Other countries have their own transmission standards.
  • Multinational agencies such as INTERPOL have their own transmission standards.

Luckily all the different standards have some basic similarities, but if you have a mobile biometric device that must submit to DOJ and DoD and DHS, you need to switch to the proper profile for each submission.

Last week I downloaded two different standards so I could understand the TOTs. I would have downloaded a third, but the agency restricts its distribution.

Word up

But I will tell you the biggest frustration I have with the standards.

In the EBTS and some other standards, there is a type of transaction referred to as “Criminal Ten-Print Submission (No Answer Necessary).” The abbreviation for this TOT is CNA.

Microsoft Word in default mode auto-corrects this from CNA to CAN.

Imagen 4.

CMOs, I can help you

But I’ve overcome this frustration over 30 years of immersing myself in all things biometric-translation related. This experience is benefiting a Bredemarket client that communicates with end customers regarding many of these standards.

Can my experience benefit you as your organization produces content, proposal, and analysis materials on a deadline? If Bredemarket can help you catch up or get ahead, let’s talk.

Stop losing prospects! Use Bredemarket content for tech marketers
Tech marketers, are you afraid?

What is a Fingerprint Bifurcation?

(Image from NIST)

(Part of the biometric product marketing expert series)

If you hear a fingerprint person discussing a “bifurcation,” the definition is pretty simple.

“The point at which one friction ridge divides into two friction ridges.”

And if you think of fingerprint ridges as black lines on a white background, then a bifurcation is the exact opposite of a ridge ending.

The fingerprint image is from an appendix to the National Institute of Standards and Technology’s 2003 Fingerprint Vendor Technology Evaluation (FpVTE).

Yeah, THAT FpVTE. I remember it well from my days at Motorola…not a “top 3” vendor.

Imagen 4.

Worries About the Certified Communist Products List

(Imagen 4)

(Part of the biometric product marketing expert series)

How many of you have heard of the Certified Products List (CPL)?

The CPL’s vendor coverage

This list, part of the FBI’s Biometric Specifications website (FBI Biospecs), contains fingerprint card printers, fingerprint card scan systems, identification flats systems, live scan systems, mobile ID devices, and other products. Presence on the CPL indicates that the product complies with a relevant image quality specification such as Appendix F of the Electronic Biometric Transmission Specification.

The Certified Products List has existed since the 1990s and includes a number of products with which I am familiar. These products come from companies past and present, including 3M Cogent, Aware, Biometrics4All, Cross Match, DataWorks Plus, IDEMIA Identity & Security France, Identicator, Mentalix, Morpho, Motorola, NEC Technologies, Printrak, Sagem Defense Securite, Thales, and many others.

As of June 26, 2025, it also references companies such as Shenzhen Interface Cognition Technology Co., Ltd. and Shenzhen Zhi Ang Science and Technology Co., Ltd.

A strongly worded letter

Those and other listings caused heartburn for the bipartisan Members of the U.S. House of Representatives Select Committee on the Chinese Communist Party.

So they sent a strongly worded letter.

“We write to respectfully urge the FBI to put an end to its ongoing certification of products from Chinese military-linked and surveillance companies—including companies blacklisted or red-flagged by the U.S. government—that could be used to spy on Americans, strengthen the repressive surveillance state of the People’s Republic of China (PRC), and otherwise threaten U.S. national security.”

Interestingly enough, they make a big deal of Hikvision products on the list, but I searched the CPL multiple times and found no Hikvision products.

The CPL’s purpose

And it’s important to note the FBI’s own caveat about the CPL:

The Certified Product List (CPL) provides users with a list of products that have been tested and are in compliance with Next Generation Identification image quality specifications (IQS) regarding the capture of friction ridge images. Specifications and standards other than image quality may still need to be met. Appearance on the CPL is not, and should not be construed as, an FBI endorsement, nor should it be relied upon for any requirement beyond IQS. Users should contact their State CJIS Systems Officer (CSO) or Information Security Officer (ISO) to ensure compliance with the necessary policies and/or guidelines.

In other words, the ONLY purpose of the CPL is to indicate whether the products in question meet technology standards. It has nothing to do with export controls or any other criteria that any law enforcement agency needs to follow when buying a product.

What about the U.S. Department of Commerce?

But the FBI isn’t the only agency “promoting” Chinese biometrics.

Wait until the Select Committee discovers the Department of Commerce’s NIST FRTE lists, including the FRTE 1:1 and FRTE 1:N lists. The tops of these lists (previously known as FRVT) include many Chinese companies.

And actually, the FRTE testing includes facial recognition products that inspired U.S. export bans. Fingerprint devices are harder to use to repress people.

What next?

What happens if the concern extends beyond China, to products produced in France and products produced in Canada?

Regarding the strongly worded letter, Biometric Update added one detail:

“As of this writing, the FBI has not issued a public response. Whether the bureau will move to decertify the flagged companies or push back on the committee’s recommendations remains to be seen. But with multiple national security statutes already in place, and Congress signaling a willingness to legislate further, the days of quiet certification for foreign adversary-linked tech firms may be numbered.”

Making Case Studies (and Other Content) Specific So Prospects Act

(Imagen 4)

Tech CMOs want to move their prospects to act and buy world-changing offerings (products or services) from their firms…and I want to move my tech CMO prospects to act and buy marketing and writing services from Bredemarket. So tech CMOs, I definitely feel your pain. But how can you move your prospects…and how can I move you?

Failure of a vague problem, solution, and results

In my recent post about converting an end customer interview into a case study, I discussed a “problem, solution, results” simple case study outline.

Justin Welsh just discussed the same thing, but with better words.

“I copy/pasted a spreadsheet of over 100 posts I’ve written that created real impact for my readers into ChatGPT, and I found a pattern:

“Specific struggle + specific transformation = lasting change

“Not some vague tension. Not a generic transformation. Specific moments where everything shifted.”

My specific solution

Of course the dozen case studies I ghostwrote for my client were implicitly specific. But it’s helpful to make that word “specific” explicit.

Imagen 4.
  • Because my client had a specific problem. The client needed its prospects to understand how its offering could solve nagging prospect problems. Riots. Car thefts. Robberies.
  • And my client had a specific solution. I can’t reveal the solution without giving the client away, but let’s just say the the solution simultaneously addressed the end customers’ dual needs of speed and accuracy, as well as other end customer concerns.
  • As for specific results, I confess I don’t know. In this case my client never got back to me and said, “John, case study 3 attracted a prospect that ended up buying an annual contract.” And my primary contact at the client subsequently moved to another firm. But the fact that the client stuck with me for a dozen case studies and some subsequent NIST FRTE analysis work indicates that I did something right.

You see what I did there. Well, as much as I could while preserving my ghostwriter status and my client’s anonymity.

What is your specific problem?

This section of the blog post is specifically addressed to tech CMOs and other marketers. The rest of you can skip this part and watch this entertaining video instead.

Imagen 4.

Now I know I’ve loaded this post with links to previous Bredemarket content that addresses the…um…specific topics in much more detail. Maybe you clicked on the links, or maybe you didn’t. I will find out.

But if you are ready to move forward, this is the one link you need to click. (“Now you tell me, John!”) It lets you set up a meeting with Bredemarket to discuss your specific needs.

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

  • To promote Bredemarket’s services so that you meet with me and buy them.
  • To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
  • To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
  • Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

  • The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
  • The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
  • Organizational process maturity. News flash: I used to work for Motorola.
  • All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
  • Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
  • Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment. 

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

  • So I applied on Monday, June 2 and received an email confirmation:
  • And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
  • And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels. 

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.