A Case for Simple Two Factor Authentication

two-factor-authChris and I have recently been talking about how to more easily provide two-factor authentication to MLS and association websites.  For those that don’t know what two-factor authentication is,  Wikipedia gives an indepth overview.  But simply put, two factor auth is when you use 2 factors instead of 1 when verifing someones identity in a computer system.  Instead the 1 factor of a username and password, which is a factor of something the user knows, you add another like an RSA SecurID, something the person has, or a fingerprint reader, something the user is.  But for the MLS, not every computer has a fingerprint reader and RSA SecurID is very expensive.  What Chris and I can to the conclusion was that almost every REALTOR® has a cell phone.  Using something like SMS we could leverage the cellphone as something people have.  I looked around and found that the idea is not new (not surprised) and that many banks use it for large online transfers (over $2500).

The idea we came up with was a proxy server that sat between the users of a web-app and the web-app itself, that provided two factor authentication.  This white paper goes into detail about the problem and the porxy server solution while this diagram (a larger version of the image above) give the basic idea we are looking at.  The user would still be presented with a login page, but after successful login they would be presented with a token entry page.  At the same time the token they need to enter would be sent to their cell phone as a text message.  The user enters in the token and they are on their way.  In this solution, the proxy only stores the usernames and the mobile numbers of those users, not the password, that factor of authentication is still handled by the protected website.  That is the basic idea.

Pros: The proxy server requires very little changes on the backing website.  It would be designed so that it could be plopped in front of pretty much any website.  It would be very inexpensive and we would want to make it open source, so people change the two-factor proxy if they need to add addition features.

Cons: The security of the SMS channel would need to be taken into account, and if there is a delay in the token SMS message arriving, that means the user is sitting there waiting for their text message before they can do anything.

We are looking for comments in this idea, and wonder if anyone would want to use this proxy if we were to create it.  Take a look at the white paper and diagram and let us know what you think.

  1. Matt Cohen

    Brilliant! FYI, Clareity Security has offered mobile messaging-based strong authentication for years and has exclusive rights to the patent for use in the real estate vertical. It can certainly be implemented so the factors are split as you indicate.

  2. Chad

    Take a look at the yubikey. I have one that I use as a secondary login verification for confidential files stored on my PC’s, as well as for website logins. It’s a little pricey @ $25 a key, but it’s a pretty solin secondary solution.

  3. Pretty neat stuff, but will we ever need this kind of authentication for MLS listings?

    @Matt A patent on the SMS aspect of it? Or a patent on any sort of message sent to a phone, including email or VM?

  4. Matt Cohen

    SMS, MMS … pretty much everything related to transmitting passwords to mobile devices.

  5. Lou

    Sounds interesting, but you’re right about delay — I’ve had text messages delayed for minutes and hours, and with this I’d be locked out.

    Have you looked at VeriSign’s VIP? They have a free token app for the iPhone, Blackberry and a bunch of other phones. Check it out at http://m.verisign.com. Works at eBay and PayPal too.

  6. Matt Cohen

    Lou – you’ve come to the heart of it. Working to help ensure sub 5 second SMS responses is a tricky and expensive endeavor.

    There are scores of cool authentication technnologies – I spend a whole lot of time evaluating each new one against the big picture of real estate workflows and application integrations. What it has boiled down to in the past is that it is rare to find a one-size fits all solution (i.e. that works for EVERY user) so an authentication server is required to broker all sorts of authentication mechanisms, and the customers and end-users provided choice of what will work for them.

  7. With the advent of iPhone 3G communications and the various apps associated with it I have begun to wonder if there is another possibility – albeit an iPhone specific one.

    There are various iPhone apps that permit scanning of 2D and 3D barcodes. What if someone wrote an app that permitted the end user to scan the barcode off a SmartCard using their iPhone camera – such as the SentriLock ID card – and transmit that code to the Web site in question as a form of authentication.

    Or better yet, you could scan an ever-changing code off the same SmartCard and transmit it. It would be difficult to duplicate…

    There are pro’s and con’s to that as well, but I find that apps with direct program access to a particular service online – are more reliable than SMS, MMS, etc.

    In the end, let’s face it, if someone wants to hack your site they’ll do it no matter how secure you make it.

  8. I would caution you about relying on SMS for authentication. The cell carriers have a different economic view of account security than you probably have because of the number of users they have. If their security mechanisms are too tight and 5% of their users are locked out, their help desk costs go through the roof. Thus, they make it very easy to get a new password for an account. Here are a couple of posts on the issues:


    It also seems like that the proliferation of app stores – both wired and wireless – will help alleviate the issue of using a dedicated app for two-factor authentication. Our software token is on the iPhone app store and the Blackberry store. (Updates can take time for the iPhone, we find).

    FWIW, you can use the open source version of WiKID and the GPL PC tokens. https://sourceforge.net/projects/wikid-twofactor/. Code contributions welcome.

  9. Matt Lavallee

    @MattCohen — I’d be hard-pressed to see such a patent stand up to scrutiny. What’s the patent number? There are quite a few patents that cover passwords over SMS and the operation of an MLS over portable devices (including authentication)… it would be difficult to enforce a “two factor” patent that uses SMS in a manner described in the existing patents.


  10. J Blackburn

    No. I am often on with a client when accessing MLS and don’t want to be receiving texts from you at the same time. It seems to me that you’re paranoid, there really isn’t a problem here, is there? Help us work more quickly, don’t make us depend on our cell phones for your security purposes.

  11. Matt Cohen

    @Matt Lavalee – Patent 6,993,658 – “Use of Personal Communication Devices for User Authentication”. Several of the best IP attorneys were engaged to review the patent prior to licensing.

    At any rate, as is clear from above posts, SMS OTPs is not a good choice for everyone – it’s just one tool in the belt.