Two factor authentication

In the past year, we at CRT have been involved in many discussions about the use of two factor authentication in the real estate industry. Two factor authentication is a more secure method for user to access systems then the traditional user ID and password combination. Two factor authentication reduces the risks associated with passwords like hacking, guessing and sharing. Two factor authentication combines something you have with something you know to provide access authorization to a system – like ATMs or in real estate’s case to an MLS system. Two factor authentication also requires the use of a one time code (OTC) as the required password or part of the password when combined with a user PIN.

Within real estate there have been several implementations of two factor authentication for user access to MLS systems. Recently there have been case studies published reviewing a couple of these implementations. These studies can assist you if your investigating these alternative.

In its October issue SC Magazine reviewed an implementation at the Consolidated Multiple Listing Service in Columbia, S.C. This implementation featured the use of the Secure Computing strong authentication solution and was headed by Clareity Consulting.

Another review takes a look at the implementation of a strong authentication solution at the Mid Florida Regional MLS. The Mid Florida implementation used the RSA SecurID token and was supported by the Secure Content Group.

CRT believes that two factor authentication can play a significant role in protecting real estate information if implemented properly and for the right reasons. However, we’ve been approached by organizations who seem to be putting the cart ahead of the horse, when considering two factor authentication. In one instance, a large MLS wanted to implement a two factor solution, but would not support a policy that required members to change their password on a regular interval. They were willing to throw tens of thousands of dollars at the perceived issue, but were not willing to take a stand that required members to change their passwords because of the politics involved and push back they might receive. This does not seem like the right reason to implement strong authentication. We at CRT are in favor of standards that requires users to change MLS access passwords on a regular interval. In our experience we’ve seen the implementation of a password ‘change’ policy eliminate many ‘rogue use’ issues.

In addition to the companies mentioned above, those considering two factor authentication may want to consider companies like PortWise and Swivel. These two factor companies employ ‘token less’ solutions (utilizing a members cell phone or other mobile device) that can offer a significant saving when compared to the cost of deploying a hardware based solution like RSA and Secure Computing. A token less solution eliminates much of the expense of the hardware token and its distribution administration.