Clareity Security - Solving Unlicensed Use of Valuable MLS systems using Strong Authentication

Download as a PDF

Solving Unlicensed Use of Valuable MLS systems using Strong Authentication

Clareity Security – July 2009

Over the last five years, over half a million users have had their MLS and other real estate software protected by strong authentication, primarily Clareity Security's SAFEMLS® solution. Strong authentication stops unauthorized access by combining multiple factors – something you know (like a username and password or PIN) with something you - and only you - have (like a cell phone or hardware token) or something you are (biometrics – like fingerprints). Strong authentication has been proven effective in combating unlicensed use and associated revenue leakage while reducing the load on valuable system resources. In most implementations of SAFEMLS, organizations realized an increase of 5 to 40% of membership and associated revenue. In addition, several implementations saw decreases in system usage by up to 50% as illegitimate users were turned away.

membership and revenue growth

Clareity Security has proven itself as the market leader in the authentication space with the flagship SAFEMLS solution. SAFEMLS was originally introduced in 2004 with both hardware and software token offerings. In a continuous effort to offer users a choice of form factors that were both convenient and affordable, Clareity Security released strong authentication options that did not require the user to carry a hardware token (or 'fob'). Choices included receiving one-time-use passwords on a cell phone or PDA, via the lockbox key and a wide variety of other methods.

Recently Clareity Security began offering an intelligence-based, zero-footprint (no end-user software or hardware) authentication solution. Scout and Sentry for SAFEMLS® uses multiple authentication factors to ensure that the user logging in is the legitimate user. It combines something the user knows (the username and password) with something the user has (intelligent analysis of what computers the user is coming from) with something the user is (a proven and security-regulation certified biometric technology: keystroke dynamics). This technology captures the user's session information of location, device, and biometric and builds a profile to determine what the legitimate user's access looks like. These three factors together are used by Scout for SAFEMLS to aggregate, analyze, and act on session data to stop unlicensed use.

The following chart is an example of a shared account where Sentry for SAFEMLS has identified two distinctly different typing patterns or profiles by Keystroke Dynamics. In this case, the two user profiles are also using different devices to access the MLS.

Keyboard Dynamics - Strong Authentication

Unlike traditional authentication solutions requiring administrative overhead, Scout and Sentry for SAFEMLS leverage access intelligence and provide the first and only security solution to automate remediation of account sharing. Remediation actions can include sending notifications to the user, forcing password changes and ultimately sending a one-time-use code to the user's email address – or even better sending it to their cell phone. The user must then use that special code to finalize their login. Most importantly, legitimate users are never impacted by this solution.

Recently, some vendors have confused the market by introducing weaker forms of authentication and incorrectly calling them "strong authentication" without providing a defense against collusion, the primary source of unlicensed use. For example:

- "Secret Questions" – This mechanism adds an additional 'something you know' – answers to secret questions - to your existing username and password. By definition it is not strong authentication and is easy to defeat, as users can share the answers as easily as they have shared passwords. If one asks a lot of secret questions, the answers can be shared via email or paper copy, or the user may just use the same answer for all questions. Worse, if the user answers really secret questions truthfully – like birth date, mother's maiden name, or social security number - your MLS now has very sensitive data to protect and increased liability. Secret Questions are also as vulnerable to keystroke logging, packet sniffing and other hacking as traditional password authentication. If used appropriately, secret questions can add value to a more comprehensive authentication solution, but on their own, they have limited value and can create user frustration and an increase in help desk calls.

- "Certificates" – This is similar to a web browser cookie stored on your computer – it's "something you have" in addition to the username and password. Unfortunately, since one of the industry's primary problems relates to shared computers, this is fairly useless as a method. Certificates are just files that can be e-mailed to other computers and users. Colluding users can easily defeat the authentication technique. Authenticating the computer is not a replacement for authenticating the end-user. Also, how is the user authenticated to get new certificates then they go to a new machine? If there's no strong authentication needed to get the certificate, this security method is as strong as its weakest link!

- "Adaptive Authentication" tries to detect abnormal use and then takes action when that abnormal use is detected. For example, if a user usually logs on from Detroit, Michigan and there is a logon attempt from Honolulu, Hawaii, the system would attempt to make an assessment of whether the logon was valid. However, in the real estate industry the most common problem is users intentionally sharing accounts within the same geographic area and even within the same office, where they would likely be using the same computer type and perhaps even the same IP address. MLS users also utilize a variety of computers to access the MLS - at customers' homes, at coffee shops, or sharing computers in broker offices - that makes it even more difficult for adaptive technology to reliably distinguish between legitimate and illegitimate logon attempts.

Clareity Security is the only vendor that provides a convenient token-less method of strong authentication that is both effective and does not impact legitimate users. Don't be fooled by 'weak' authentication masquerading as strong login security. The security standard set for MLS logins and data sharing agreements all over the country is strong authentication. Genuine strong authentication that addresses collusion is the only proven method of protecting the login against illegitimate use and providing the MLS operator the benefit of increased revenue.