Odoo MasterKey Connector
by Central Data Systems Pty Ltd https://www.bankvault.com/bankvault-masterkey-odoo-connector/Availability |
Odoo Online
Odoo.sh
On Premise
|
Lines of code | 502 |
Technical Name |
masterkey |
License | OPL-1 |
Website | https://www.bankvault.com/bankvault-masterkey-odoo-connector/ |
Versions | 12.0 14.0 13.0 15.0 16.0 |
Seamless Access
Increases user engagement
Strong Security
Builds user trust
The Problem
99% of cyberattacks target user PC's and smartphones. The goal is to intercept login credentials and takeover online accounts to steal money, redirect financial transactions, or access private data. This is easily done with JavaScript in the browser which is undetectable.
Even Password Managers expose user credentials when auto-filling web forms because passwords are loaded as clear unencrypted text. The asterisks a user sees are only a mask for human eyes.
User sessions that remain logged on indefinitely make an easy target for account takeovers.
The Solution
Passwordless became mainstream in 2022 when Google, Apple and Microsoft announced Passwordless access to their own services. Analysts predict 90% adoption as other online services surge to deploy frictionless access to their own services.
MasterKey is an intelligent new approach which is invisible and frictionless for users. With no user software or setup, it can be deployed in minutes.
User sessions that remain inactive are automatically logged out, ensuring user accounts remain secure.
How to Activate
Step 1: Install the Odoo MasterKey Connector.
Step 2: Insert your secret MasterKey API Key into the Connector to activate it.
If you don't have a MasterKey account you can create here: bit.ly/3gRctax
bit.ly/3gRctax
How does MasterKey work?
MasterKey is a Security-as-a-Service solution developed and hosted by the cybersecurity innovation team at BankVault.
It harnesses the users mobile phone to authenticate but does this without any user software or setup and so is invisible to users. It can provide up to 3-Factors of Authentication, which is far more secure than just a username + password
The system creates a Decentralized Web Protocol.
Temporary security secrets generated by the webserver combine with temporary security secrets generated by user's mobile. These are used to double-encode and encrypt information entered by the user such as login credentials.
The genius behind the protocol is a two-stage process than uses these secrets but never requires them to be released, thus ensuring the users information can only ever be deciphered by the webserver when initiated by the mobile.
TEST DRIVE?
Experience it live
bit.ly/3gYVGSZ
User Experience
For users going directly to the website with their mobile/tablet it simply logs straight in.
For users on a workstation, scanning a QR code on the login screen with a mobile camera transfers the page to the mobile and authenticates the user. The workstation logs in.
Another security feature is an automated session timeout for inactive Odoo users. If set to 60 minutes, then after an hour of no screen or mouse activity it will prompt a 60 second warning before logging the user out.
No Technology Risk
There is no single point of failure. In the event the MasterKey service is not available, users can still login by entering their username and password.
No Security Risk
This is the users normal input, but now controlled by the webserver working in concert with the users mobile and proof-of-presence.
Service Provider
The MasterKey service is a service developed and hosted by the cybersecurity innovation team at BankVault (BankVault.com). If you don't have a MasterKey account, you can create one at https://www.bankvault.com/bankvault-masterkey-odoo-connector/.
The Odoo MasterKey Connector was authored by Central Data Systems (central-data.net) and is provided free to the Odoo community.
FAQs
How can you trust Security-as-a-Service?
MasterKey is a Decentralized Web Service, so there is no central point of control that can decipher the information. Any data flowing through the system uses standard encryption and encoding technology. The current state of encryption would require billions of years to decrypt and, if it succeeded, it would only reveal contextless meaningless encoded data.
Temporary security secrets are created on the fly by the webserver to encode the information. The user's mobile phone also generates temporary user secrets. The algorithm combines these secrets together to encode the users mobile screen before the user's intent is registered. Nothing in the universe can decipher this.
The original user's information can only ever be deciphered by the original web server, when a recall of the information is initiated by the users mobile phone. The security secrets generated by the mobile and by the webserver are temporary and never come together.
The webserver never releases its temporary secret and even by itself it cannot decipher the information without the cooperation of the users mobile.
The full detail of the protocol is publicly viewable in a Patent filing.
What are the benefits for my users?
The vast majority of cyber-attacks today target end user devices. The goal is identity theft, to capture online credentials to takeover user accounts.
Passwordless Authentication provides an elevated security posture making it incredibly difficult for user credentials to be intercepted and the user's account taken over by cybercriminals. It also provides the option for Multi-Factor Authentication (MFA) and is consistent with the FIDO2/WebAuthn standards for Passwordless Authentication.*
Users experience seamless access to online services, which increases engagement. They no longer need to remember or enter their credentials again.
Strong security deepens user trust. Frictionless access increases user engagement. This provides two strong benefits for users, which create a competitive advantage and business driver.
*Note: MFA is not enabled by default. It can be requested as an upgrade.
How do I set it up?
Install the Odoo MasterKey connector and insert your secure API Key. If you don't have a secure API Key you can create one at the following link:
bit.ly/3gRctax
What do users have to do?
There is nothing for users to install or configure.
Users operating off a mobile/tablet - it simply recognizes them and prompts to login.
Users operating off a workstation will see a QR code. If they scan this with their phone camera, the login page will be transferred to their mobile phone's browser, authenticate and log the user in.
The QR code sits alongside the usual login form for a username and password, to allow adoption to happen by osmosis.
What do users have to do?
There is no single point of failure. The user can still log into the Odoo web portal with their normal credentials, or borrow another mobile phone and simply choose the option not to save their credentials. If they get a new mobile then select the option "Save and login".
Can inactive user sessions be logged out automatically?
User sessions should never remain logged on indefinitely as this potentially exposes their account to anyone with physical or virtual access to their screen.
MasterKey allows the Administrator to set an automatic logout if a user session remains inactive. This can be set to minutes, hours or days depending on the requirement of the site.
Set the Session Timeout option in the Odoo MasterKey Connector, to the number of minutes of inactivity before a session will timeout. If there is no mouse or keyboard activity in the page then a 60 second warning will be issued to the user before logging their session out.
What are the fields in the Odoo MasterKey Connector?
MasterKey API Key is the code you receive when creating a MasterKey account on the BankVault portal. Insert this secure code to activate your service. This API Key should remain should remain secret and therefore once saved into the web form it cannot be retrieved or revealed.
Session Timeout allows a system administrator to specify how long a user session can remain inactive before being automatically logged out.
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module