secure documents – Bredemarket

Identity Document Validation is a Toxic Dumpster Fire

I may have misjudged Biometric Update.

Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.

I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.

As does Biometric Update.

Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:

“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”

But then Biometric Update ran a more recent story.

They said that?

Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.

And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.

OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.

But the true title is eye-catching in context:

“DHS RIVR results suggest most ID document validation disastrously ineffective”

Not just ineffective, DISASTROUSLY ineffective. Ouch.

For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).

DHS set performance goals for the submitted entries and publicized the (anonymous) results.

“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”

Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.

On anonymity

Why do testing entities sometimes allow participants to remain anonymous?

Because they want participants.

Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.

Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.

Hopefully the results won’t be disastrous.

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
Something you have, such as a driver’s license, passport, or hardware or software token.
Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

Something you do, such as super-secret swiping patterns to unlock a device.
Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

The person may deserve access if they are an employee and arrive at the location during working hours.
That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.

Verify the Supporting Documents Aren’t Forged

From the CBC in Canada:

“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”

Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.

More on this type of fraud: https://www-cbc-ca.cdn.ampproject.org/c/s/www.cbc.ca/amp/1.7516048

(Forged document from Imagen 3. Lincoln never held a law license in the then-United Kingdom.)

Replacing Underage Age Estimation With Underage Age Verification

Why do we have both age verification and age estimation? And how do we overcome the restrictions that force us to choose one over the other?

Why age verification?

As I’ve mentioned before, there are certain products and services that are ONLY provided to people who have attained a certain age. These include alcohol, tobacco, firearms, cannabis, driver’s licenses, gambling, “mature” adult content, and car rentals.

There’s also social media access, which I’ll get to in a minute.

So how do you know that someone purchasing one of these controlled products or services has attained the required age?

One way is to ask the purchaser to provide their government identification (driver’s license, passport, whatever) with their birthdate to prove their age.

This is known as age verification. Provided that the ID was issued by a legitimate government authority, and provided that the ID is not fraudulent, this ID provides ironclad assurance that you are 18 years old or 21 years old or whatever the requirement is.

But let’s return to social media.

Why age estimation?

If you’re Australian, sit down for a moment before I share the following fact.

There are jurisdictions in the world that allow kids as young as 13 years old to access social media.

However, these wild uncontrolled jurisdictions face a problem when trying to determine the ages of their social media users. As I noted almost two years ago:

How many 13 year olds do you know that have driver’s licenses? Probably none.

How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.

How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.

So how can you figure out whether Bobby or Julie is old enough to open that social media account?

One way to do so is by using a technique called age estimation, which looks at facial features and classifies people by their estimated ages.

The only problem is that while age verification is accurate (assuming the ID is legitimate), age estimation is not:

So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:

An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.

A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.

So what do you do?

How to perform underage age verification

Biometric Update points out that there is an free alternative for underage people ages 13-15 in the United Kingdom—the CitizenCard. These cards are issued in four categories:

’18+’ for adults
’16-17′ for those aged 16 to 17
’13-15′ for children aged 13 to 15
‘Under 13’ for younger children

“OK,” you may say, “but so what? Anybody can print a card that says anything they want, like Alabama’s John Wahl did. Why should anyone accept the CitizenCard?”

Well…people, um, trust it.

CitizenCard is the only non-profit, UK-wide issuer of police-approved proof of age & ID cards….

CitizenCard was founded in 1999 and is governed by representatives from the National Lottery operator Allwyn, the Co-op, Ladbrokes & Coral owner Entain and the TMA.

CitizenCard…is the longest-established and the largest issuer of Home Office-endorsed PASS-hologram ID cards in the UK with more than 2.5 million issued.

[CitizenCard] is audited by members of the Age Check Certification Scheme on behalf of PASS to ensure that the highest standards of UK data protection, privacy and security are upheld and rigorous identity verification is carried out.

So one could argue that you don’t need age estimation in the UK, because there is a well-established way to VERIFY ages in the UK.

However, there are other benefits to age estimation, including the fact that estimation is frictionless and doesn’t require you to pull out a card (or a smartphone) at all.

Digital Driving Licences With Two Cs

(Imagen 3)

In my country, the issuance of driver’s licenses is performed at the state level, not the national level. This has two ramifications.

REAL ID

The U.S. government wanted to tighten down on identification cards to stop terrorists from hijacking planes and crashing them into buildings.

But it couldn’t.

When it told the states to issue “REAL ID” cards by 2008, the states said they wouldn’t be told what to do.

Today all of them support REAL ID cards as an option, but use of REAL IDs for federal functions such as plane travel won’t be enforced until 2027…if then.

mDLs

For years there has been a move to replace physical driver’s licenses with mobile driver’s licenses, or mDLs.

Again, in my country this has been pursued in a piecemeal basis on the state level. Louisiana has its own mDL, with a separate one in Oklahoma, one in California, others in other states, and none in other states. And one state (Florida) that had one, then didn’t have one.

Some mDLs are in custom wallets, while others are or are not in wallets from Apple, Google, and Samsung.

Oh, and don’t try using your Louisiana mDL to buy a beer in Arkansas.

Meanwhile, in the UK

Things are different in other countries. Amit Alagh shared a BBC article with me.

“Digital driving licences are to be introduced in the UK as the government looks to use technology to ‘transform public services’…. The new digital licences will be introduced later this year….”

Throughout the entire United Kingdom, including Scotland and Northern Ireland, apparently.

In one fell swoop. Entire country done.

Use One ID, Lose Another: China vs. China

(Chiang and Mao in 1945, Public Domain)

When you obtain a government ID from one national government, you normally don’t get a second government ID from a different national government, unless you hold dual citizenship.

But for some pairs of countries, dual citizenship is untenable.

“President Lai Ching-te (賴清德) has cautioned Taiwanese citizens against China’s reported efforts to lure them into applying for Chinese ID cards and residency permits.”

Because Taiwan is a contested territory, acceptance of People’s Republic of China IDs could resulted in PRC claims to Taiwan…to protect its citizens there. Therefore Taiwan really discourages this.

“According to local regulations, citizens who receive a Chinese ID will have their Taiwanese household registration revoked.”

And we thought that moving Meta’s trust and safety teams from California to Texas was a big deal. At least the states of California and Texas are not launching military strikes against each other.

At least not yet.

KYV: Know Your (Healthcare) Visitor

Who is accessing healthcare assets and data?

Healthcare identity verification and authentication is often substandard, as I noted in a prior Bredemarket blog post entitled “Medical Fraudsters: Birthday Party People.” In too many cases, all you need to know is a patient’s name and birthdate to obtain fraudulent access to the patient’s protected health information (PHI).

But healthcare providers need to identify more than just patients. Providers need to identify their own workers, as well as other healthcare workers.

Know Your Visitor

Healthcare providers also need to identify visitors. When a patient is in a hospital, a rehabilitation facility, or a similar place, loved ones often desire to visit them. (So do hated ones, but we won’t go there now.)

I was recently visiting a loved one in a facility that required identification of visitors. The usual identification method was to present a driver’s license at the desk. The staffer would then print out a paper badge showing the visitor’s name and the validity date.

Like this…

So John “Bederhoft” (sic) enjoyed access that day. Whoops.

Oh, and I could have handed my badge to someone else after a shift change, and no one would have been the wiser.

Let’s apply “somewhat you why”

There’s a more critical question: WHY was John “Berdehoft” visiting (REDACTED PHI)? Was I a relative? A friend? A bill collector?

My proposed sixth factor of identity verification/authentication, “somewhat you why,” would genuinely help here.

Somewhat you why “applies a test of intent or reasonableness to any identification request.”

Maybe I should have said “and” instead of “or.”

Visiting a relative shows intent AND reasonableness.
Visiting a debtor shows intent but (IMHO) does NOT show reasonableness.

Do you need to analyze healthcare identity issues for your healthcare product or service? Or create go-to-market content for the same? Or proposals?

Contact me at Bredemarket’s “CPA” page.

California Knows How to Party (California mDL)

Well, it took long enough.

In part because when I first tried to get a mobile driver’s license (mDL), I used my OLD physical driver’s license AFTER I had renewed my driver’s license online (but before I received the new physical license). Data mismatch. Rejected.

And in part because I kept on forgetting to perform the additional steps to confirm my identity.

And in part because I didn’t truly NEED the mDL—I haven’t flown anywhere since April 2023, and for some strange reason no vendor of age-controlled products has insisted on carding me.

California mobile driver’s license (mDL).

But I now have a California mDL. After talking about mDLs for years as a former IDEMIA employee.

I’ve previously espoused the benefits of mDLs. For example, when a retailer DOES check my age before I buy a beer, the retailer doesn’t learn my address or my (claimed) height and weight. The retailer only needs to confirm that I am old enough to buy a beer.

Oddly enough, I had to block out certain information on my displayed mDL in the image above. Because MY privacy requirements obviously don’t conform to California’s privacy requirements.

Do All 5 Identity Factors Apply to Non-Human Identities?

I’ve talked ad nauseam about the five factors of identity verification and authentication. In case you’ve forgotten, these factors are:

Something you know.
Something you have.
Something you are.
Something you do.
Somewhere you are.

I’ll leave “somewhat you why” out of the discussion for now, but perhaps I’ll bring it back later.

These five (or six) factors are traditionally used to identify people.

Identifying “Non-Person Entities”

But what happens when the entity you want to identify is not a person? I’ll give two examples:

Kwebbelkop AI? https://www.youtube.com/watch?v=3l4KCbTyXQ4.

Kwebbelkop AI, discussed in “Human Cloning Via Artificial Intelligence: It’s Starting,” is not a human. But is there a way to identify the “real” Kwebbelkop AI from a “fake” one?
In “On Attribute-Based Access Control,” I noted that NIST defined a subject as “a human user or NPE (Non-Person Entity), such as a device that issues access requests to perform operations on objects.” Again, there’s a need to determine that the NPE has the right attributes, and is not a fake, deep or shallow.

There’s clearly a need to identify non-person entities. If I work for IBM and have a computer issued by IBM, the internal network needs to know that this is my computer, and not the computer of a North Korean hacker.

But I was curious. Can the five (or six) factors identify non-person entities?

Let’s consider factor applicability, going from the easiest to the hardest.

The easy factors

Somewhere you are. Not only is this extremely applicable to non-person entities, but in truth this factor doesn’t identify persons, but non-person entities. Think about it: a standard geolocation application doesn’t identify where YOU are. It identities where YOUR SMARTPHONE is. Unless you have a chip implant, there is nothing on your body that can identify your location. So obviously “somewhere you are” applies to NPEs.
Something you have. Another no brainer. If a person has “something,” that something is by definition an NPE. So “something you have” applies to NPEs.
Something you do. NPEs can do things. My favorite example is Kraftwerk’s pocket calculator. You will recall that “by pressing down this special key it plays a little melody.” I actually had a Casio pocket calculator that did exactly that, playing a tune that is associated with Casio. Later, Brian Eno composed a startup sound for Windows 95. So “something you do” applies to NPEs. (Although I’m forced to admit that an illegal clone computer and operating system could reproduce the Eno sound.)

Something you do, 1980s version. Advance to 1:49 to hear the little melody. https://www.youtube.com/watch?v=6ozWOe9WEU8.

Something you do, 1990s version. https://www.youtube.com/watch?v=miZHa7ZC6Z0.

Those three were easy. Now it gets harder.

The hard factors

Something you know. This one is a conceptual challenge. What does an NPE “know”? For artificial intelligence creations such as Kwebbelkop AI, you can look at the training data used to create it and maintain it. For a German musician’s (or an Oregon college student’s) pocket calculator, you can look at the code used in the device, from the little melody itself to the action to take when the user enters a 1, a plus sign, and another 1. But is this knowledge? I lean toward saying yes—I can teach a bot my mother’s maiden name just as easily as I can teach myself my maiden name. But perhaps some would disagree.

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

That’s all five factors, right?

Well, let’s look at the sixth one.

Somewhat you why

You know that I like the “why” question, and some time ago I tried to apply it to identity.

Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

The first example is fundamental from an identity standpoint. It’s taken from real life, because I had never used any credit card in Atlantic City before. However, there was data that indicated that someone with my name (but not my REAL ID; they didn’t exist yet) flew to Atlantic City, so a reasonable person (or identity verification system) could conclude that I might want to eat while I was there.

But can you measure intent for an NPE?

Does Kwebbelkop AI have a reason to perform a particular activity?
Does my pocket calculator have a reason to tell me that 1 plus 1 equals 3?
Does my ceramic plate have a reason to stay intact when I drop it ten meters?

I’m not sure.

By Bundesarchiv, Bild 102-13018 / CC-BY-SA 3.0, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=5480820.

Who You Are, Plus What You Have, Equals What You Are

(Part of the biometric product marketing expert series)

Yes, I know the differences between the various factors of authentication.

Let me focus on two of the factors.

Something You Are. This is the factor that identifies people. It includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
Something You Have. While this is used to identify people, in truth this is the factor that identifies things. It includes driver’s licenses and hardware or software tokens.

From https://www.etsy.com/listing/1511398513/editable-little-drivers-license.

There’s a very clear distinction between these two factors of authentication: “something you are” for people, and “something you have” for things.

But what happens when we treat the things as beings?

Like cars with license plates?
And bots with power?

Who, or what, possesses identity?

License Plate Recognition

I’ve spent a decade working with automatic license plate recognitrion (ALPR), sometimes known as automatic number plate recognition (ANPR).

By marines.mil, Public Domain, https://commons.wikimedia.org/w/index.php?curid=23054177

Actually more than a decade, since my car’s picture was taken in Montclair, California a couple of decades ago doing something it shouldn’t have been doing. I ended up in traffic school for that one.

But my traffic school didn’t have a music soundtrack. From https://www.imdb.com/title/tt0088847/mediaviewer/rm1290438144/?ref_=tt_md_2.

Now license plate recognition isn’t that reliable of an identifier, since within a minute I can remove a license plate from a vehicle and substitute another one in its place. However, it’s deemed to be reliable enough that it is used to identify who a car is.

Note my intentional use of the word “who” in the sentence above.

Because when my car made a left turn against a red light all those years ago, the police didn’t haul MY CAR into court.
Using then-current technology, it identified the car, looked up the registered owner, and hauled ME into court.

These days, it’s theoretically possible (where legally allowed) to identify the license plate of the car AND identify the face of the person driving the car.

But you still have this strange merger of who and what in which the non-human characteristics of an entity are used to identify the entity.

What you are.

But that’s nothing compared to what’s emerged over the past few years.

We Are The Robots

When the predecessors to today’s Internet were conceived in the 1960s, they were intended as a way for people to communicate with each other electronically.

And for decades the Internet continued to operate this way.

Until the Internet of Things (IoT) became more and more prominent.

How prominent? The Hacker News explains:

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls.

Couple this with the increasing use of chatbots and other artificial intelligence bots to generate content, and the result is that when you are communicating with someone on the Internet, there is often no “who.” There’s a “what.”

What you are.

Between the cars and the bots, there’s a lot going on.

What does this mean?

There are numerous legal and technical ramifications, but I want to concentrate on the higher meaning of all this. I’ve spent 29 years professionally devoted to the identification of who people are, but this focus on people is undergoing a seismic change.

KITT. By Tabercil – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=14927883.

The science fiction stories of the past, including TV shows such as Knight Rider and its car KITT, are becoming the present as we interact with automobiles, refrigerators, and other things. None of them have true sentience, but it doesn’t matter because they have the power to do things.

Even with this opinionated writer, occasionally a bot is telling me what to write.
My thermostat is changing my house temperature for my own good.
It’s only a matter of time before a bot kills someone.

The late Dr. Frank Poole, died in 2001. From https://cinemorgue.fandom.com/wiki/Gary_Lockwood.

In the meantime, the identification industry not only has to identify people, but also identify things.

And it’s becoming more crucial that we do so, and do it accurately.