Last June, the Center for REALTOR® Technology posted a blog entry making a case for using SMS text messaging as a form of strong authentication. The idea is that “The user would still be presented with a login page, but after successful login they would be presented with a token entry page. At the same time the token they need to enter would be sent to their cell phone as a text message.” Clareity Security had already been doing exactly this since 2007, but it has not become a popular primary form of strong authentication.
Why? Because even though Clareity Security had spent a large amount of money to license the appropriate patents to allow us to offer this form of authentication and also invested in the type of heavy duty technology infrastructure required for the kind of performance needed (using the same SMS provider as “American Idol”), the method just didn’t work out. When users using this method logged in, they expected the text message to their cell phone to arrive within a few seconds. While Clareity Security’s infrastructure sent the message within a second and the message always arrived quickly enough in a controlled environment, in the real world of MLS users the message would not always arrive, or arrive in a timely fashion. Once the text message left the Clareity Security infrastructure and entered the world of each MLS subscriber’s cell phone provider, those cell phone providers could deliver the message in seconds, minutes, hours – or never! Obviously, Clareity Security had no control over each MLS subscriber’s cell phone provider or recourse with them to improve their performance. The real life support demands on MLS staff that resulted from this problem resulted in Clareity Security never expanding the use of the TEXT-pass™ product that used SMS text messaging as a method of authentication.
Another way to use the cell phone as an authenticator is by using it for voice authentication. Voice authentication is a form of biometrics where the user account is linked with a voiceprint that can be checked on login. When you log in using a standard username and password the system can call you and compare the voice of the person who answers the phone with the user’s registered voice. This can be a very strong form of authentication – however in a demonstration by one voice authentication vendor on the east coast, the MLS president was able to repeatedly fool the voice authentication system set up for the company’s demonstrator. As the cost of this form factor is fairly high, this vendor also suggested using it a small percentage of the time – like locking the front door of your house once in a while to deter theft, it just didn’t make any sense. Voice authentication is not simple or easy and Clareity Security is not confident of the current authentication strength. Clareity Security is exploring new technologies in voice authentication on a regular basis and if the reliability could be improved this method may become a viable option. However, other issues to resolve with voice authentication include the various real estate use cases including non-cell phone office-based authentication cases – answered by receptionists or phone-menus – as well as overcoming workflow issues such as the real estate professional on the same phone with a client asking for information and having to ask the client to ‘please hold for a minute while I authenticate to the MLS’. It’s not clear whether these issues can ever be overcome.
There is a new authentication opportunity presented by multi-tasking smart phones capable of running applications – the Android and iPhone 4. Theoretically, rather than interrupting a phone call for voice authentication, the multi-tasking phone could launch an authentication “app” at the same time. This app would provide a one-time-use password, just like the keyfob tokens commonly used in our industry today do. There are several hurdles to overcome though – the cost and effort of supporting software deployment to smart phones could be significant, and since multi-tasking smart phones do not yet make up a majority of agent cell phones, it’s not yet a solution that works for every subscriber.
As an authenticator for mobile applications, the mobile device / cell phone currently works fine on its own as the ‘something you uniquely have’, which in combination with username and password (the ‘something you know’) forms strong authentication, assuming the user has registered their cell phone and the security system checks the device ID and cell phone number. However, as individuals obtain multiple mobile devices (i.e. cell phone AND an iPad) and may be willing to share one of those devices, mobile devices will be less useful as authenticators and we will need to expand use of other mechanisms, such as the patented biometrics Clareity Security is currently deploying, to mobile devices.
Share this post: