Keep Eyes off Your Prize: Why Multi-Factor Authentication Is a Real Estate Must
By John Harris and Lisa Mihelcich
RISMEDIA, Thursday, May 11, 2017— There's no time to waste in today's real estate market. For clients to successfully win a bidding war, transaction documents have to move faster than the competition. That's why real estate professionals across the country are turning to digital tools like e-forms and electronic signatures to close more deals in less time.
Taking the digital plunge is a business-savvy move for real estate professionals—and a convenience for clients. Yet it often comes with a concern that typically isn't top of mind when signing real estate documents the old-fashioned way with paper and ink: security. How do we know who's viewing and accessing the information over the internet?
The Fear Factor
According to Symantec, 429 million identities were reported exposed in 2015. In the same year, there were 781 data breaches tracked—an 8.1 percent increase over 2014, according to the Identity Theft Resource Center.
These statistics are relevant to any industry and any person using digital technology. But when real estate documents are executed digitally, there's an elevated sense of urgency. Real estate documents—like property contracts, rental agreements, leases and others—are high-stakes items that may contain sensitive personal information that could be dangerous in a hacker's hands. A data breach or unauthorized access could open the door to costly litigation or settlements—and at the very least hurt a realty organization's business and reputation.
This doesn't mean the industry should reverse its digital momentum, but it does mean that real estate professionals should be smart with their digital tools and use identity-authentication measures to assure only intended parties can access documents and data online.
Multi-factor identity authentication adds layers of digital barricades around information before a person can gain access to documents or e-sign them. It confirms a person's identity using at least two methods.
Typically, multi-factor authentication will combine email verification (requiring a person to correctly log into his or her email account with a username and password) with one of the following:
Text message (SMS) verification – Requires a person to submit a one-time unique, random PIN code received via text message
Shared secret questions – Requires a person to answer personal questions, which are known by both parties, once he accesses the portal link via email. The answers can be supplied by the institution, such as a client identification number, or by the person, such as the street of a childhood home.
Knowledge-based authentication – Requires a person to provide a correct Social Security number and date of birth before accessing documents. The person then must answer multiple-choice questions about himself based on detailed information available from public databases.
Hard token authentication – Requires a person to use a personally identifiable key fob or a security token to access electronic documents or e-signature transactions
Biometric authentication – Requires a person to match his or her biological traits to what has been stored on file, such as a fingerprint or voice
The Best Factor
The strongest types of multi-factor authentication require a person to correctly present something she knows with something she has or something she is.
Email authentication + shared secret questions
Email authentication + knowledge-based authentication
These combinations are both based on a person's knowledge. While both measures are strong forms of authentication, they don't provide a physical element of authentication that adds an additional dimension to security.
Good, but Impractical
Email authentication + hard token authentication
This seems like a good combo because it combines something you know with something you have, but giving each client their own identity authentication token is cumbersome and may not fit into your budget. Also, what happens if you lose that token, or you just don't have it with you?
Email authentication + text-message authentication
Given the ubiquity of smartphones today, this is one of the most convenient methods for pairing something you have (your mobile phone and the one-time code sent via text) with something you know. Not only is this pairing very user-friendly, it's also highly effective. It requires that a person know his email password; then he verifies he was the same person who accessed that email once he receives the code via a text message sent to his phone and he correctly inputs it into the website.
It will be up to professionals and their organizations to discern the method of authentication that is right for their clients, but two security checkpoints are always better than one, especially when those two checkpoints are ones to which people have easy access. This keeps clients from becoming burdened by security protocols and ensures documents can move quickly, easily and securely through the digital transaction and e-signing process.
John Harris is the chief technology officer at SIGNiX, the first independently verifiable digital signature company in the U.S. that makes signing documents online safe, secure, and legal for any business. For more information, please visit www.signix.com or on Twitter @signixsolutions.
Lisa Mihelcich is the chief operating officer at zipLogix™, a Fraser, Mich.-based technology company created by, owned by and working for real estate professionals to improve productivity and efficiency industry-wide. For more information, please visit www.ziplogix.com.