Chris and I have recently been talking about how to more easily provide two-factor authentication to MLS and association websites. For those that don’t know what two-factor authentication is, Wikipedia gives an indepth overview. But simply put, two factor auth is when you use 2 factors instead of 1 when verifing someones identity in a computer system. Instead the 1 factor of a username and password, which is a factor of something the user knows, you add another like an RSA SecurID, something the person has, or a fingerprint reader, something the user is. But for the MLS, not every computer has a fingerprint reader and RSA SecurID is very expensive. What Chris and I can to the conclusion was that almost every REALTOR® has a cell phone. Using something like SMS we could leverage the cellphone as something people have. I looked around and found that the idea is not new (not surprised) and that many banks use it for large online transfers (over $2500).
The idea we came up with was a proxy server that sat between the users of a web-app and the web-app itself, that provided two factor authentication. This white paper goes into detail about the problem and the porxy server solution while this diagram (a larger version of the image above) give the basic idea we are looking at. The user would still be presented with a login page, but after successful login they would be presented with a token entry page. At the same time the token they need to enter would be sent to their cell phone as a text message. The user enters in the token and they are on their way. In this solution, the proxy only stores the usernames and the mobile numbers of those users, not the password, that factor of authentication is still handled by the protected website. That is the basic idea.
Pros: The proxy server requires very little changes on the backing website. It would be designed so that it could be plopped in front of pretty much any website. It would be very inexpensive and we would want to make it open source, so people change the two-factor proxy if they need to add addition features.
Cons: The security of the SMS channel would need to be taken into account, and if there is a delay in the token SMS message arriving, that means the user is sitting there waiting for their text message before they can do anything.
We are looking for comments in this idea, and wonder if anyone would want to use this proxy if we were to create it. Take a look at the white paper and diagram and let us know what you think.