[Rets-dev] Username/Password and security policies

[Colby Ackerfield]

Our MLS security policies attempt to adopt best practices that will 
protect our user's accounts by not requiring them to ever provide their 
password to a site other than the MLS. That is, users should never type 
in their password if the url isn't our MLS' url. This is similar to the 
anti-phishing education that Paypal and many other sites promote.

The problem we've encountered is that many RETS enabled clients will 
prompt users for this information. Many of these products are provided 
via an application service model so these passwords are transmitted and 
stored on a third part systems which will likely have different security 
policies from our own. We'd like to avoid changing our security policies 
to accommodate RETS integrations.

Some of the options we have considered, or use, include:

- Providing users with a limited access RETS username and password that 
can't be used for the general purpose MLS
- Alternative authentication mechanisms utilizing some type of one-time 
passwords
- Providing a single vendor account that the client vendor can use on 
behalf of our MLS users (most common approach for us)

I'm wondering how other RETS servers and clients have dealt with this issue.

Thanks,
Colby Ackerfield
RealGo, Inc.