Here is a list of Frequently Asked Questions (FAQ):
- Who needs to have a unique mobile number on file?
- Where will my mobile phone number be used?
- How do I update my mobile phone number?
- How often will I have to authenticate?
- Will I be charged for any SMS/text messages by my carrier?
- What if I only want to receive email notifications?
- Will I need to enter a new password?
- So what should I use as a Password?
- Why are we even doing this?
Who needs to have a unique mobile number on file?
Anyone with an RAE Login accessing the RAEs Member Portal and Paragon. This includes associates, brokers, managers, assistants, administrators, and conveyancers.
Where will my mobile phone number be used?
The mobile phone number will ONLY be used for multi-factor authentication. The Primary Phone number will be used for marketing sites (i.e., Paragon, REALTOR.ca etc.) and how RAE Staff will contact you.
How do I update my mobile phone number?
You can update your MFA mobile phone number by emailing firstname.lastname@example.org.
How often will I have to authenticate?
You will need to authenticate every time you use a new device, delete your cookies/cache on your browser and at least every 30 days.
Using Adaptive MFA, the system automatically learns your habits and preferences and adapts accordingly. If you are deemed low risk, you will be required to authenticate less. If you are considered medium or high risk, you may be asked to authenticate more often. The ‘risk factor’ is based on device, location changes (for example, signing in from Edmonton and then 5 minutes later, signing in from the US) and risky IP address.
The association does not have control over Auth0's inner coding when determining if a user is low-risk or high-risk.
Will I be charged for any SMS/text messages by my carrier?
Receiving SMS/text messages are being fully paid by the association, this will be available at no additional cost to the members. If you reply to a text, there may be additional charges applied by your carrier.
What if I only want to receive email notifications?
The option of completing the Multi-factor Authentication (MFA) challenge using email will be provided. Regardless of what method you choose to use, a mobile phone number will still be required. If you would like to use email, we will be providing step-by-step instructions closer to the release date.
The top MFA authentication providers do not allow email to be the default MFA method or allow it to be the only MFA option. As a result, a mobile number must be provided.
Will I have to enter a new password?
Yes and no. You will need to enroll a new password with the new MFA application BUT it doesn't have to be different from the one you used. If it meets the criteria below, you are good to go.
Your password must contain:
- At least 8 characters
- At least 3 of the following:
- Lower case letters (a-z)
- Upper case letters (A-Z)
- Numbers (0-9)
- Special Characters (e.g.!@#$%^&*)
We strongly recommend adding a special character (!@#$%^&*) to increase your password strength.
So what should I use as a Password?
Password strength is an important consideration when using passwords for authentication. A strong password policy will make it difficult, if not improbable, for someone to guess a password through either manual or automated means.
Ditch the complexity when making a password. Instead, passphrases that feature simplicity, now top the list of recommendations. For example, use a passphrase like "Home is where the heart is". Add an upper case and a number. Your password would be "Homeiswheretheheartis7" and you are good to go.
It is also recommended to never re-use a password. If your password is leaked to one site, bad actors will try using that password will all accounts you have. If you are worried about remembering all of your passwords, learn about Password Managers here.
We highly recommend adding a special character to your password, see the next question for why!
Why are we even doing this?
We understand that this is frustrating to hear but a password alone is no longer sufficient in protecting your data/information or the Association's. Unfortunately one of our fellow Canadian real estate association had a cyber attack in March which only emphasized the need for MFA.
“Several real estate agents had their username and password details stolen using a virus, which had been installed on several of the agent’s PCs,” says Andrew Martin, Founder and CEO of DynaRisk.
“The hacker is now able to use the compromised login credentials to log into the association’s portal. As a consequence, the hacker will be able to perform any actions available to the agent, from within the portal.” (Source: https://mailchi.mp/reix/real-estate-cyber-attack-warning?fbclid=IwAR3ydxQjxC-uxnJ1Ao74TS10TUwnTYOBgTsHtbhWabn4pI0Q9Oafk2H5n1M)
A popular tactic for hackers is using a brute force attack. A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations until they find the correct login information. (Source: https://www.fortinet.com/resources/cyberglossary/brute-force-attack).
Below is a table created by Hive Systems and the industry-standard requirements are no longer secure! See why our Password Table has been shared by the news, universities, and companies across the globe.
Is your password in the green?