Rethinking identity authentication, security, and trust in a world where physical credentials can be easily lost or stolen, but who we are cannot.

It started with a message from a bank confirming a transaction that looked routine…  Nothing unusual, until the amount caught his attention. A transfer he never authorized, from an account he rarely checks. Within minutes, more alerts followed. Password reset confirmations. Login notifications from unfamiliar locations. A credit inquiry that he did not request.

By the time he reached a customer service representative on the phone, it was already too late. His identity had been stolen, not through a dramatic data breach, but through a series of small, seemingly imperceptible hacks. A re-used password from an old account combined with personal details compiled from previous data leaks, and a security question answered with information that was never truly private. Piece by piece, someone had reconstructed his identity.

Over the next several weeks, the consequences unfolded. Accounts were frozen. Transactions disputed. New cards issued, only to be compromised again. Hours were spent on calls, forms, and verifications, proving, over and over again, that he was who he claimed to be, and yet, the system never really knew.

In a world built on physical credentials that we carry – cards, passwords, tokens – personal identity is something that can be relatively easy to reconstruct, replicated, and ultimately stolen.

A better way to protect your identity.

For generations, identity has been defined by what we carry. A wallet filled with cards. A badge clipped to a uniform. A passport tucked into a bag. A PIN memorized and entered countless times each day. Today, even our smartphones have become containers of identity, holding vulnerable access to financial systems, corporate networks, and personal data.

These objects have become physical representations of who we are. They grant access, establish trust, and enable movement through both physical and digital environments. Yet they all share a fundamental weakness: they exist outside of us. They can be lost, stolen, shared, copied, or forged. And in a world of increasingly sophisticated threats, that vulnerability is constant and continues to grow.

The modern threat environment has exposed the limitations of this model. Credentials are compromised through things like phishing attacks, data breaches, and social engineering. Cards are cloned and passwords are reused across the entire ecosystem. Entire digital identities are collected, assembled, and traded on the dark-web markets. Even multi-factor authentication, while an improvement, still relies on elements that can be intercepted or manipulated.

What has emerged in response is a fundamental shift from identity verification based on possession to identity verification based on presence.

Biometrics is central and essential to this shift. It anchors identity to the individual rather than with external objects or information that can be easily separated from them. It replaces the question “What do you have?” with a far more powerful one: “Who are you?”

Biometric identifiers such as iris patterns, facial features, and fingerprints are inherently tied and fundamentally unique to each individual. They are always present in the individual. They cannot be forgotten, misplaced, or casually shared. In this sense, biometrics are the ultimate credential, the only form of identity that cannot be lost or stolen.

The human iris alone contains hundreds of unique recognition points and remains stable over an individual’s lifetime. Facial recognition technologies, augmented by artificial intelligence, enable rapid identification under real-world conditions. Together, these two biometric modalities create a powerful and layered identity framework that balances accuracy, speed, and usability.

Unlike a badge or password, a biometric identity cannot be easily duplicated. It does not exist as a static object waiting to be compromised. Instead, it exists as a living representation of the individual. This fundamentally changes the nature of identity verification.

One of the most powerful aspects of biometric identity is its continuity. Traditional authentication is transactional, a moment-in-time when access is granted. Biometrics enables continuous verification, allowing identity to be confirmed not just at entry points, but throughout the entire lifecycle of an interaction.

This has profound implications for both security and user experience. Identity becomes dynamic, rather than static. Security becomes adaptive, rather than reactive.

At the same time, biometrics addresses a long-standing challenge in security: achieving a balance between security and convenience. Systems that are too complex create friction, leading users to bypass them. Systems that are too simple create vulnerabilities. Biometrics bridges this gap by making authentication both seamless and secure.

A glance, a look, or a brief interaction replaces multiple steps of authentication. There is no need to remember passwords or carry multiple credentials. The experience becomes intuitive, reducing user frustration and increasing compliance.

This is particularly important in environments where speed and security must coexist. When authentication is fast and frictionless, users are less likely to engage in risky behaviors such as credential sharing or tailgating. Security becomes part of the workflow, not an obstacle to it.

Of course, the adoption of biometrics also raises important questions around privacy and data protection. The use of biological and physiological traits for identification must be handled with care, transparency, and responsibility. User consent to use their biometric is essential for the success of any identity system.

Modern biometric systems address these concerns through the use of secure encrypted templates rather than raw images. These templates are mathematical representations that cannot be reverse- engineered into the original biometric images. Combined with strong governance, role-based access controls (RBAC), and audit mechanisms, they provide a secure and privacy-conscious framework for identity management.

Despite the clear advantages and superiority of biometric authentication technologies over credential-based systems, no technology is 100 percent accurate all of the time. If, in the case of authentication error, there should be reasonable processes available for individuals to redress and correct the error.

When implemented correctly, biometrics does not require a trade-off between security and privacy. Instead, it enhances both by reducing reliance on easily compromised credentials and minimizing exposure of sensitive personal data. Biometric authentication establishes a secure envelope around identity, enabling high assurance verification while minimizing the exposure and risk associated with personally identifiable information (PII).

For the individual whose identity was stolen, the resolution eventually came, but not without cost. Time lost, trust shaken, and a lingering uncertainty that it could happen again. The system restored his accounts, but it never truly restored his sense of security.

That is the hidden burden of identity fraud. Even when the damage is repaired, the confidence is not.  Biometrics offer a single trusted identity that unites accuracy, security, and convenience by ensuring that access is granted based on who a person is, not what they carry.

It is a reminder that identity, when built solely upon what we carry, will always remain vulnerable.

But when identity is anchored in who we are – something inherent, unique, and inseparable – it changes the equation entirely. It offers not just stronger security, but something far more valuable: peace of mind.

In the end, the most important things that we carry are not things at all – it’s who we are.

By Mohammed Murad, CRO, Iris ID

On March 12, 2026, investigators say a man drove a truck loaded with fireworks and gasoline into Temple Israel in West Bloomfield, Michigan, breaching the synagogue entrance while children and staff were inside the building. Authorities reported no congregants, staff members, or children were killed in the attack, and the suspect reportedly died at the scene. In the aftermath, the damage left behind offered a stark reminder of how quickly vehicle-based threats can target community institutions.

Question: What is the most accessible weapons for attacking a crowded facility?  

Answer: A vehicle

The recent vehicle attack at Temple Israel in West Bloomfield Township, Michigan, is another reminder that houses of worship remain vulnerable targets in the United States.

As this is written, investigators continue reviewing the facts. Reports indicate the attacker, motivated by anger over events overseas and personal loss, drove a pickup truck loaded with combustible materials into the facility while children were present for scheduled programming. The vehicle breached the entrance and penetrated deep into the building before becoming lodged inside. Gunfire followed, and the vehicle later ignited.

Only the attacker was killed. A security guard was reportedly injured, and property damage from fire and smoke was extensive. Emergency response was immediate and substantial.

But this was not the first warning, and it will not be the last.

Across the country, houses of worship of every faith face similar risks. Soft targets are numerous, visible and often lightly protected. They are also central gathering places, which makes them attractive to angry or ideologically motivated attackers.

Vehicle attacks are especially concerning because they are simple to execute. Vehicles are common, inexpensive, and capable of causing mass harm when perimeter protections are weak or incomplete.

The encouraging reality is that vehicle threats are also among the most preventable. Properly designed perimeter security, controlled access points, rated barriers, surveillance, and trained personnel can significantly reduce vulnerability.

But vehicles are only one threat vector.

Security leaders today must also consider armed assaults, drone incursions, arson, vandalism, cyber disruptions, and coordinated attacks against utilities or access systems.

The lesson is straightforward: waiting for a local incident before acting is no strategy at all.

Owners, operators, and security professionals who ignore these realities risk lives, property, and preventable tragedy.

-Rob Reiter is the Co-Founder of the Storefront Safety Council

As a Michigan-based security professional, the Temple Israel attack was a sobering reminder that these threats are not distant—they are local.

My biggest takeaway is how unpredictable these events can be. Many attacks are not the result of sophisticated planning. They are often sudden acts driven by rage, grievance or emotional instability.

That is why effective security planning should focus not only on what has happened before, but on what could happen next.

Temple Israel appeared to recognize the need for perimeter protection and had implemented some vehicle mitigation measures. However, based on publicly available images and reporting, there appears to have been a vulnerable gap in the perimeter that was exploited.

That reality applies far beyond religious institutions.

Airports, schools, retail centers, office campuses, restaurants, and neighborhood businesses all face similar exposure. Vulnerabilities are often shaped by site layout, traffic flow, architectural constraints, and lack of awareness about where risks truly exist.

Fortunately, this event did not result in mass casualties. It could have ended very differently.

My advice to those responsible for protecting people and property is simple: evaluate what could happen, identify where your weak points are, and implement measures designed to stop those threats before impact.

-Robert Miller, PSP, CDT, is an Independent Consultant and Subject Matter Expert in Fences, Gates, Bollards, and Barriers at Imperial PCS.

UNLOCKING EFFICIENCY

Small- to medium-size businesses (SMBs) throughout the country are faced with a unique mix of challenges that are different from larger enterprises.  Organizations that fall into the category of 1 to 1,000 employees are often juggling a myriad of hurdles that include limited resources and the pressure to modernize and grow—simultaneously. This creates a situation requiring tradeoffs that can result in management holding off on making any significant investments in physical security solutions. Typically, businesses will adopt new technology when it becomes simple to adopt and use, more affordable, and easy to implement—which is where mobile credentials and cloud-based access control can help. For example, mobile credentials replace physical badges, fobs, or keys with passes stored on an employee’s mobile phone or smartwatch. They are easy to manage and easy to use – improving the entire access control experience.

Smaller companies rarely have the resources or expertise found in larger enterprise organizations, which can create additional friction when it comes to making technology upgrades and investments in physical security. Without a dedicated IT and security team, these businesses tend to rely on older or basic off-the-shelf access control systems, since they don’t have the proper support to adopt brand new systems or maintain complex infrastructures. This lack of resources has also resulted in smaller businesses lagging behind when it comes to mobile credential adoption due to the technical lift that is required to implement the solution – especially because it’s nearly the same process to enable for 1 person as it is for 10,000 people. Additionally, these types of businesses don’t typically work with large-scale security integration firms who are more familiar with the latest security technologies; but rather rely on providers who may not be as knowledgeable on modern solutions such as mobile credentials.

These challenges only compound if a company operates multi-site businesses with regional offices, franchises, etc. But, by making the right technology choices, implementing mobile credentials no longer needs to be complicated. And they can ultimately provide a simpler way to manage access control across multiple locations and are a convenient option for employees who travel frequently or oversee several offices locally, regionally or even globally.

The good news is that organizations of all sizes are starting to adopt mobile credentials more frequently to help reduce costs, simplify administration, and improve security while also providing a great experience for their employees. There is proven value for them now and the lift to adopt has decreased due to years of investment in the technology. A premier access experience is no longer just reserved for Blue Chip companies – any size business can benefit from positive user experiences and improved security.  Keeping assets safe is important for companies large and small and as a result we will see the adoption rate increase in the near future as more SMBs realize the value of going mobile.

Below is a clear overview of what’s driving the adoption of mobile credentials for access control, the challenges smaller businesses are facing, and what the transition typically looks like over time.

Why SMBs Are Adopting Mobile Credentials

Lower Operational Costs – One big driving factor for organizations to get on the mobile access bandwagon is lower long-term operational costs.  Businesses can now issue or revoke credentials remotely without the cost and resources it takes to print and replace costly physical ID cards. This saves time and money and helps organizations increase productivity and efficiency for employees.  There is also the ease of managing temporary or part-time staff.

Convenience – Cloud-based access control systems that use mobile credentials dramatically improve convenience for both administrators and users. With cloud-based systems administrators can manage access from anywhere at any time wherever they are. This remote capability streamlines operations, reduces response time, and supports more agile facility management.

In addition, over the past 10 years we have seen significant changes on how employees work due to COVID and technology advancements, which means that flexibility is now table stakes for an access control system. With many SMBs now supporting hybrid work models, we will see reliance on mobile credentials continue to grow because of the experience provided for frictionless entry. Carrying a physical badge or key is no longer second nature, however mobile phones and smartwatches are rarely forgotten, making them a natural, seamless way for employees to access the workplace when needed.

Improved Security – Mobile credentials can significantly strengthen security by removing the risks associated with lost keys, common PINs, or misplaced ID cards. When an employee’s phone is lost or a role changes, access can be revoked instantly—without rekeying or reissuing physical badges. Many smartphones also support built-in biometrics such as facial or fingerprint recognition, adding an extra layer of authentication before a credential can be used. Digital credentials are more secure than traditional proximity cards (which are increasingly simple to clone), eliminating the risk of unauthorized duplication. This delivers a more secure, modern access-control experience fit for today’s users that protects both people and property.

Support for Temporary Access – Mobile credentials also provide more flexibility and security for managing contractors or temporary users… especially for businesses that prefer not to hand out physical keys or have someone monitoring the front desk full-time. With mobile-based access control, credentials can be issued directly to a contractor’s phone for specific times, or doors can be scheduled to unlock and lock automatically to allow entry only when needed. It also eliminates the hassle of cutting new keys, dealing with lost keys or cards, or having to constantly change PIN codes.

Scalability – Growing companies need solutions that can evolve with them over time.  Scalability is effortless with mobile credentials as headcount increases, turnover occurs, new locations open, or operational needs shift. Because everything is managed centrally in the cloud, organizations can add users, adjust permissions, and expand capacity without the cost or complexity of legacy systems—improving overall efficiency and security of the ecosystem.  In addition, AI and other systems that are data driven, drive more functionality than before as well, making systems even closer to self-management than before.  This flexibility ensures the security solution keeps pace with the business rather than holding it back.

Employee Recruitment – In today’s highly competitive job market, offering mobile credentials can indicate that a company is tech-forward, modern, and employee-centric. This can be a meaningful differentiator for prospective talent, especially among younger, digitally savvy candidates who expect essential tools to live on their mobile devices. Companies that embrace this approach may position themselves as more attractive employers to the next generation of workers.

How SMBs Typically Transition to Mobile Credentials

The first step in making the transition to mobile credentials is assessing the current use cases and supporting hardware where an existing physical badge, fob, or other type of electronic key is used by employees. The goal is that users feel completely confident in using their phone as their way to get in and around the workplace in the same convenient way as they did previously. Evaluating these use cases is important to determine what technology is currently in place and what new infrastructure may be needed.

Upgrading a site by updating or replacing reader hardware may be time-consuming and expensive. However, most sites have found that the long-term gains are worth the initial investment as implementing access control systems that support mobile credentials is the future of security.

To support a successful transition to mobile credentials, it is extremely important to educate users and staff on the value and usability of mobile to encourage adoption of this technology early on. Once implemented, the mobile credential experience usually sells itself and migration to a predominately mobile environment happens quite quickly.

By Olivia Renaud, Group Product Manager – Credential Software, Allegion

Physical and Cyber Risks Utilities Can’t Afford to Ignore

Water and wastewater utilities face a uniquely complex security challenge: aging infrastructure, widely distributed assets, and increasingly connected operations. From remote pump stations to treatment plants and distribution networks, many facilities are geographically dispersed, lightly staffed, and difficult to monitor.

The stakes are high. Disruptions can interrupt essential services, threaten public health, and create costly operational downtime. According to CISA, the United States has approximately 152,000 public drinking water systems and more than 16,000 wastewater treatment systems, serving over 80% of the population.

Many of these operations rely on industrial control systems (ICS) and SCADA environments—technologies that were not designed for today’s threat landscape. As utilities modernize, they must manage both legacy vulnerabilities and growing cyber exposure.

Here are the top physical and cybersecurity threats facing water and wastewater facilities—and the measures helping reduce risk.

THE TOP 5 PHYSICAL SECURITY RISKS

1) Remote Site Intrusion and Trespassing

Pump stations, reservoirs, lift stations, and other remote assets are often isolated, lightly staffed, and difficult to monitor. In many cases, limited fencing and outdated surveillance create easy targets for trespassers, vandals, and opportunistic criminals. Unauthorized access can lead to equipment damage, service disruption, or contamination events.

What’s driving the risk:

• Rising incidents of trespassing, theft, and vandalism at utility sites
• Limited on-site personnel, especially in rural or widely dispersed systems
• Delayed response times at unmanned facilities

What utilities are deploying:

• Intelligent perimeter detection using fiber, radar, thermal imaging, and smart fencing
• Solar-powered surveillance systems for remote locations
• Remote video monitoring with analytics and live response capabilities

2) Deliberate Contamination or Sabotage

Water infrastructure carries a uniquely high consequence profile. Unauthorized physical access to storage tanks, treatment inputs, or chemical handling areas can create immediate risks to public health and public confidence. Even attempted tampering can trigger costly shutdowns, emergency response actions, and reputational damage.

Potential impact:

• Illness or injury
• Service interruptions and boil-water advisories
• Loss of public trust and regulatory scrutiny

Mitigation priorities:

• Locked, alarmed, and monitored access points
• Intrusion detection on hatches, tanks, and chemical storage areas
• Real-time water quality monitoring tied to alerts and response workflows

3) Theft and Vandalism of Critical Assets

Copper theft, equipment damage, and targeted vandalism continue to disrupt utility operations across the country. Remote sites with limited visibility are especially vulnerable. In addition to replacement costs, these incidents can create downtime, safety hazards, and emergency repair expenses.

Common drivers:

• Scrap value of copper and other materials
• Poor lighting or minimal deterrence measures
• Delayed detection at unattended sites

Effective countermeasures:

• Monitored fencing and intrusion deterrence systems
• Smart lighting and audio warning systems
• Rapid response through centralized monitoring centers

4) Insider Threats and Unauthorized Access

Not every threat comes from outside the fence line. Contractors, former employees, disgruntled staff, or weak credential controls can create serious internal exposure. In smaller systems, shared credentials and informal access practices remain common.

Where risk often appears:

• Shared badges, keys, or login credentials
• Incomplete offboarding of former personnel
• Limited visibility into who accessed what and when

Best-practice controls:

• Access control systems with audit trails
• Role-based permissions and credential management
• Integrated identity and physical access security programs

5) Aging Infrastructure with Weak Physical Protection

Many water and wastewater facilities were built decades ago, when modern security threats were not part of the design criteria. As a result, fencing, gates, lighting, surveillance coverage, and access controls are often inconsistent or outdated.

Why it matters:

• Legacy layouts create blind spots and easy access points
• Security retrofits are often fragmented or underfunded
• Critical assets remain exposed despite modernization elsewhere

Where utilities are investing:

• Layered perimeter protection combining barriers, sensors, and analytics
• Risk-based upgrades aligned with critical asset priority
• Integration into centralized security operations and monitoring platforms

Top 5 Cybersecurity Risks

3) Weak Credentials and Remote Access Exposure

Weak passwords, shared accounts, and unsecured remote access remain common entry points for attackers targeting utility environments. Many water and wastewater systems still depend on legacy access methods that were implemented for convenience rather than security.

Remote connectivity can improve efficiency and reduce travel to dispersed sites, but poorly managed access creates unnecessary exposure. Smaller and resource-constrained utilities are often especially vulnerable due to limited cybersecurity staffing and aging infrastructure.

Common Vulnerabilities:

• Default, weak, or reused passwords
• Shared administrator or contractor accounts
• Unsecured remote desktop or remote access tools
• Limited visibility into who accessed systems and when
• Inconsistent credential offboarding practices
• Smaller utilities particularly vulnerable

Mitigation Priorities:

• Multi-factor authentication (MFA) for all remote access
• VPN-secured connections with least-privilege controls
• Centralized identity and access governance
• Password rotation and credential hygiene policies
• Continuous monitoring for unauthorized login activity

4) Nation-State and Geopolitical Targeting

Water and wastewater infrastructure has become an increasingly attractive target for nation-state actors and politically motivated threat groups. Because these systems support public health, economic stability, and daily life, they offer adversaries a high-impact way to create disruption and send strategic signals.

Recent threat activity has shown growing interest in critical infrastructure sectors where operational interruptions can generate outsized public attention. Even limited intrusions can force costly defensive responses and undermine confidence in essential services.

Strategic Objectives:

• Potential disruption of civilian life and essential services
• Political signaling during periods of geopolitical tension
• Intelligence gathering on critical infrastructure operations
• Pre-positioning for future disruptive activity
• Reputational and public confidence impacts

Mitigation Priorities:

• Threat intelligence sharing through sector groups such as Water ISAC
• Continuous monitoring for advanced threats and anomalous behavior
• Coordination with CISA and federal partners
• Network segmentation and privileged access controls

Incident response exercises for critical infrastructure scenarios.

5) IT/OT Convergence Vulnerabilities

As utilities modernize operations, the line between information technology (IT) and operational technology (OT) continues to blur. Systems once isolated from external networks are increasingly connected to enterprise platforms, cloud services, remote management tools, and smart devices.

While this connectivity can improve efficiency, visibility, and automation, it also expands the attack surface. Legacy OT environments were often not designed to operate in highly connected ecosystems, creating new pathways for cyber risk.

Key Exposure Points:

• Legacy OT systems connected to enterprise IT networks
• Cloud integrations with limited security oversight
• Expansion of IoT sensors and smart devices
• Third-party vendor access into operational environments
• Limited visibility across mixed IT/OT assets

Mitigation Priorities:

• Zero-trust architectures across IT and OT environments
• Continuous vulnerability identification and risk remediation
• Comprehensive asset inventory and visibility tools
• Network segmentation between business and operational systems
• Secure vendor access controls and monitoring

Where utilities are investing:

• Layered perimeter protection combining barriers, sensors, and analytics
• Risk-based upgrades aligned with critical asset priority
• Integration into centralized security operations and monitoring platforms

What Security Strategies Are Working

1) Layered, Sensor-Driven Perimeters

Utilities are moving beyond static fencing toward layered detection and early-warning systems:

• Radar + thermal + video analytics
• Fence-mounted vibration sensors
• AI-driven intrusion classification

This aligns with the broader shift: the perimeter evolves from a passive barrier into an active detection layer.

2) Remote, Autonomous Security Operations

• Labor shortages and dispersed assets are driving adoption of: Centralized monitoring (GSOC/VSOC models)
• Autonomous patrols (drones, robotics)
• Event-driven response workflows

3) Cyber-Physical Integration

Leading utilities are integrating:

• Physical alarms into SOC platforms
• Cyber alerts tied to operational risk
• Unified dashboards for situational awareness

This is where real ROI is being realized—faster decisions, fewer disruptions.

4) Federal Compliance-Driven Risk Programs

Mandates under the America’s Water Infrastructure Act (AWIA) have accelerated:

• Risk and resilience assessments
• Emergency response planning
• Cybersecurity program development

These are increasingly viewed as foundational controls.

5) Cyber Hygiene at Scale

It’s not glamorous, but it’s effective:

• Patch management
• Password policies
• Network segmentation
• Continuous monitoring

EPA and CISA continue to reduce many common attack pathways.

How Water Utilities Can Improve Physical and Cybersecurity

Water and wastewater security has become a core operational priority. Service continuity, public health, and community trust now depend on systems that are increasingly connected, geographically dispersed, and often under-protected.

Many utilities still face familiar constraints: aging infrastructure, limited budgets, lean staffing, and fragmented security programs. Meanwhile, threats continue to evolve—from ransomware and unauthorized remote access to physical intrusion and nation-state activity targeting critical infrastructure.

The organizations making the most progress are moving beyond siloed security models. They are combining perimeter intelligence, stronger cyber hygiene, asset visibility, and coordinated response across both physical and digital environments.

Resilience is no longer defined by preventing every incident. It is defined by detecting threats earlier, responding faster, and minimizing disruption when events occur. Utilities that make that shift will be better positioned to protect operations and public trust in the years ahead.