In parts of the real estate data ecosystem the term Authenticated User is commonly used, but what does it actually mean? The concept exists to differentiate between publicly visible data (anything accessible through a normal web search) and protected data that should only be visible after a user has established and verified their identity.
Exhibit A of the SFARMLS Master Data License establishes requirements for VOW and BBO solutions to ensure that certain categories of data are protected. For purposes of MLS data access and VOW/BBO applications, authentication generally means the user has:
Created an account using a reasonably real and verifiable name
Provided identifying information (at minimum an email address)
Logged in using password-protected access
The system must be able to persistently associate activity with that specific user identity. This distinction matters because some vendors interpret “authentication” too loosely. The following authentication or identity-tracking methods do not qualify as proper authentication, because they generally do not maintain a persistent, identifiable user account:
Cookie-based session tracking
Anonymous session tokens
CAPTCHA verification
Magic-link access without an account (auth by email)
Social login that does not retain identity information
The SFAR Compliance team expects that any vendor receiving data from SFARMLS implements authentication that tracks a specific user identity, not merely that the user passed a temporary access check.