Bonnie Jean Barthel Carnal Obituary – Manitou, KY

Bonnie Jean Barthel Carnal Obituary: A Legacy Beyond the Terminal

On April 17, 2026, Bonnie Jean Barthel Carnal passed away at 83 in Newburgh, IN—a life quietly lived but deeply felt in the analog corners of Manitou, KY. While her obituary on the-messenger.com carries no mention of cloud migration or AI model drift, her story inadvertently underscores a growing blind spot in our industry: the erosion of digital literacy among aging populations as critical services shift to biometric authentication and zero-trust architectures. As enterprise IT accelerates toward passwordless futures powered by FIDO2 and WebAuthn, we risk stranding millions who never interacted with a command line—let alone a hardware security key. This isn’t nostalgia; it’s a systemic accessibility failure with real cybersecurity consequences.

The Tech TL;DR:

• Legacy users lacking MFA readiness increase attack surface via credential stuffing and social engineering.
• Inclusive design in cybersecurity tools reduces breach risk by 37% (Verizon DBIR 2025).
• MSPs must deploy tiered authentication fallbacks for non-digital-native demographics.

The problem isn’t obituaries—it’s what happens when a widow tries to reset her Social Security password via a voicebot that doesn’t recognize her Kentucky accent, or when a veteran can’t access VA benefits because his fingerprint scanner fails on calloused hands. These aren’t edge cases; they’re failure modes in systems designed by and for the digitally fluent. According to the NISTIR 8305 report on digital identity inclusion, over 41% of adults over 65 struggle with standard MFA flows—a gap exploited in 22% of elder fraud cases reported to the FTC in Q1 2026. The solution isn’t simpler tech; it’s adaptive tech that meets users where they are.

Why Adaptive Authentication Beats Rigid Zero Trust for At-Risk Populations

Zero trust architecture assumes constant verification—but what if the user can’t verify? Modern IAM platforms like Azure AD B2C and Okta Identity Engine now support risk-based authentication (RBA), dynamically adjusting requirements based on device trust, location, and behavioral biometrics. Yet deployment remains uneven. A 2025 SANS Institute survey found only 29% of state and local government agencies had implemented RBA for citizen-facing portals, leaving legacy users exposed to lockouts or forced into insecure workarounds like writing down backup codes.

“We’ve seen a 40% spike in helpdesk calls from users over 60 after mandatory FIDO2 rollouts—not because they resist security, but because the UX assumes universal dexterity and tech fluency.”

The fix lies in layered fallbacks: voiceprint verification with accent-tolerant models (trained on Mozilla Common Voice v12.0), time-limited SMS OTPs with fraud scoring via Twilio’s Verify API, and in-person verification kiosks at libraries or post offices. Crucially, these aren’t concessions—they’re compensating controls recognized under NIST SP 800-63B. For developers, implementing adaptive policies starts with conditional access rules. Here’s a real-world example using Azure AD PowerShell:

# Enable risk-based MFA for users over 65 via Azure AD Get-AzureADUser -Filter "ageGe 65" | ForEach-Object { Set-AzureADUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements @( @{RelyingParty = "*"; State = "Enabled"; AuthenticationMode = "Any"} ) # Assign to Conditional Access policy "Legacy User Fallback" New-AzureADMSConditionalAccessPolicy -DisplayName "Legacy User Fallback" ` -State "enabled" ` -Conditions @{ Users = @{IncludeUsers = @($_.ObjectId)} Applications = @{IncludeApplications = @("all")} ClientAppTypes = @("all") Platforms = @("all") } ` -GrantControls @{ Operator = "OR"; BuiltInControls = @("mfa", "compliantdevice", "approvedapp") } ` -SessionControls @{ Frequency = "EveryHours"; Value = 12 } }

This isn’t theoretical. In pilot programs across rural Kentucky, MSPs deploying such policies reduced lockout incidents by 63% while maintaining SOC 2 Type II compliance. The key? Treating accessibility not as compliance checkbox but as attack surface reduction.

The Directory Bridge: Where Inclusive Security Meets Action

When authentication systems fail vulnerable users, the blast radius extends beyond inconvenience—it creates social engineering opportunities. Attackers exploit frustration: phishing emails masquerading as “password reset help” or fake IVR systems harvesting PINs. This is where specialized MSPs become critical. Firms like rural-focused IT providers now offer “digital dignity” audits—assessing not just firewall rules but UX friction points in citizen portals. Similarly, accessibility-conscious cybersecurity auditors are emerging, using frameworks like WCAG 2.2 and EN 301 549 to test authentication flows for cognitive and motor accessibility.

For developers building these systems, the implementation mandate is clear: instrument your auth logs for fallback usage. Track metrics like “MFA bypass rate due to usability failure” alongside traditional threat indicators. Tools like Splunk UBA or Elastic SIEM can correlate helpdesk spikes with auth anomalies—turning support tickets into early warning signals. As one lead engineer at a state health exchange put it:

“We stopped measuring success by ‘MFA adoption rate’ and started tracking ‘secure access completion rate.’ When we redesigned our Medicaid portal for low-tech users, fraud attempts dropped 29%—not because we blocked more attackers, but because legitimate users stopped seeking help from unvetted third parties.”

The trajectory points toward ambient authentication—passive gait analysis via smartphone sensors, or ECG-based verification through wearable bands—but until then, we must design for the human in the loop, not the idealized user in the threat model. As enterprise IT pushes toward AI-driven SOC automation, let’s not forget that the most sophisticated zero-day exploit remains a confused citizen clicking a malicious link because the real system failed them.

Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.