Jan. 12, 2009 - About "Adaptive Authentication"

Clareity Security set the standard for real estate industry standard for login security over four years ago, introducing strong authentication to the industry. Strong authentication, also termed "multi-factor" authentication, involves two of the three following items: something you know (e.g. a password or PIN), something you have (e.g. a token, PDA or cell phone), or something you are (e.g. biometric information). Recently, some have promulgated the idea that "adaptive security" can replace strong authentication, implying that adaptive security is comparable in strength to strong authentication - this is simply misleading.

Adaptive authentication tries to detect abnormal use and then takes action when that abnormal use is detected. For example, if a user usually logs on from Detroit, Michigan and there is a logon attempt from Honolulu, Hawaii, the system would attempt to make an assessment of whether the logon was valid. That works great in the banking context, but it just doesn't apply in any significant way to MLS authentication security, where the most common problem is users intentionally sharing accounts within the same geographic area and even within the same office, where they would likely be using the same computer type and perhaps even the same IP address. MLS users also utilize a variety of computers to access the MLS - at customers' homes, at coffee shops, or sharing computers in broker offices - that makes it even more difficult for adaptive technology to reliably distinguish between legitimate and illegitimate logon attempts. To have MLSs interrogating users to try to distinguish between true "cheaters" and false positives – it's untenable.  It will anger legitimate users, and be a waste of staff time to boot!

Last year, Clareity Consulting reviewed security at an 1100 member MLS, evaluating the usage of 800 UserIDs used over the course of a day. Of the 800, 5 UserIDs would have been noted as suspicious behavior by adaptive authentication technology - logging on from five or more IP addresses during the day. However, more thorough review revealed that 3 of the 5 were legitimate uses - users using wireless cards and crossing cell tower boundaries or logging in from different client homes and their own office. In this evaluation, only 3 users had abnormal download amounts – two were not actually "cheaters", but one was and this correlated with the excessive login report. All of this illustrates the problem adaptive authentication has creating "false positives". Worse yet, over 150 of the 800 UserIDs were found to be sharing account information but were using three or fewer IP addresses during the day - the same rate as the non-abusers - and since system use times were short, it was extremely rare (<2%) that these users would have tripped the "simultaneous logins" alert. Some of the "cheaters" even only used a single IP address and a single computer during the day! They work together in the same office so they appear to be ONE user to adaptive authentication.  Is having a 60% false positive rate while letting more than 95% of the "cheaters" off the hook indicative of successful security technology? The answer is clearly, "No!"

What is worse is what happens when adaptive security thinks it has found a cheater. Typically the next step is to try to validate the user so they can get into the MLS right away (say, before their listing appointment) by asking them secret questions. This level of security isn't any better than standard password security since three things the user knows (username, password, question answers) isn't any better security than two things (username, password) and is just as easy to share among “organized cheaters”. In fact, once you understand that adaptive security isn't actually "strong" and often boils down to knowledge-based authentication, one must ask the question, "Can knowledge-based authentication be effective?" A study done by respected consultants Forrester Research (http://blogs.forrester.com/srm/2008/04/end-user-securi.html) says the answer is "No". If the adaptive system is allowed to go to the next level and suspend accounts - in a system doomed to false positives - one is treading in dangerous customer service territory. 

Taking this even further, protecting the web interface is just one part of the MLS authentication problem – subscribers (and cheaters) utilize PC-based software for  both attended and unattended downloads of information, use tools such as RETS, and are increasingly moving to wireless devices and even  interactive voice response (IVR). Most of the adaptive technologies are device dependent, and are not extensible to the many ways that real estate professionals currently access information or those ways that will surely become more prevalent in the future. How can it deal PDA or third party software or with unattended downloads? This is why Clareity determined that one of the most critical success factors for a strong authentication mechanism was ensuring that it was device and platform independent.

Even if one willfully ignores how adaptive authentication concept doesn't work for real estate industry use cases, the technology itself has not had a good security track record. The following article discusses how RSA's implementation was defeated back in 2007 - note that it remains defeated today:
http://blog.washingtonpost.com/securityfix/2007/11/new_malware_defeats_sitekey_te.html

Some have pointed out that financial institutions use adaptive authentication – they are correct, but what they leave out is that banks are swiftly moving away from adaptive authentication alone and are moving to strong authentication mechanisms. Most people are familiar with initiatives such as Bank of America's SafePass, sending one time passwords to the cell phone via SMS text message.  Note that Clareity Security has the exclusive patent for the real estate industry for sending one-time passwords via SMS text messages. That's reflected in Clareity Security's deployment a few years ago of TEXT-pass, an authentication method that doesn't require tokens.

While some of the reporting capabilities inherent in adaptive authentication technologies have a place in a multi-layered authentication defense, adaptive security on its own is not strong authentication, and cannot be considered to provide a similarly high level of security - as would be required for MLSs considering data sharing or regionalization when one or more of the parties had already implemented strong authentication security.  Attempts to mislead or confuse the marketplace by stating that adaptive security has high value and is an actual alternative to strong authentication, are simply shameful.