MasterKey
Passwordless Web Authentication
Seamless for Users | Deployed in Hours
An intelligent new approach to Passwordless Web Authentication that is invisible and frictionless for users.
The seamless experience makes it 10-100x faster to deploy than other solutions, requiring . . . . (i) No client software or user setup, (ii) No change management, and (iii) No backend system changes.
Seamless User Experience
No client software or user setup
No change management
No backend system changes
MasterKey meets the most advanced standards for Zero-Trust networks and Zero-Trust devices.
It implements the WebAuthn/FIDO2 standard without any system development.
Zero Trust Networks – Zero Trust Devices
Sidestepping the Attack-Surface
99% of cyber-attacks target devices (PCs and Smartphones).The goal is identity theft to take over online accounts and steal money, redirect financial transactions or access private data. Credential are easily intercepted by keyloggers or a Man-in-the-Browser attack. MasterKey sidesteps the device, providing no attack-surface for hackers. Credentials never hit the user device or network.
Zero Trust Networks
MasterKey meets the most advanced expectations of Zero-Trust networks.
Devices capturing information from users are first encoded and the data captured is then double encoded and encrypted with AES-256, Current technology would requires billions of years to decrypt this and would only then reveal context-less meaningless encoded data.
Whether “Cloud Hosted” or “On-Prem”, nothing can intercept and decipher the information flowing through the system.
The protocol ensures that only the webserver, with the security keys it generates, can decipher the information when triangulated with the users mobile, and optionally their proof-of-presence.
At no other point within the system is there enough information to decrypt and decode, other than inside the webserver.
Zero Trust Devices
MasterKey’s security posture assumes every device is already compromised.
The system projects a security protocol that sidesteps any malware or non-malware, allowing users to authenticate themselves or authorize transactions.
It sits comfortably alongside existing monitoring and detection software on users devices without interference.
FIDO2 / WebAuthn
MasterKey is an implementation of the WebAuthn / FIDO2 standard.
It enables organizations to deploy WebAuthn overnight, without any system development or data migration.
What sort of systems is MasterKey suited to?
SaaS (software-as-a-service) where web applications are delivered to users via their browser, now spans almost every type of online business. Regardless of what the application does, if users login via their browser then MasterKey fits.
There is a wide range of web technologies but the MasterKey architecture works across all of them.
Can we pilot this with a small subset of users?
This is easily done by creating a separate Test login page, on a different URL to that used by other users. You simply share this Test URL with the subset of users.
Does MasterKey replace Password Managers?
Password Managers, whilst convenient for the user, actually expose login credentials to any software in the browser. When they load encrypted credentials into a webform it is no longer encrypted, but is plane clear text. Password Managers actually expose user credentials, whether using a browser plugin or simply the browser remembering passwords,
MasterKey makes Password Manager redundant for the websites it is configured on. Users no longer need to remember or enter their credentials to this site, and it raises the security because the credentials are no longer entered through the local device.
We’re doing an IAM Transformation. How does MasterKey fit?
“Identity and Access Management” is a major rationalization project for organizations. The goal to unify all systems as one, with each user having a unique digital identity, can take many man-years of work and frequently encounter unexpected issues. Passwordless Authentication is often not possible to deploy until this foundation layer is rolled out first.
MasterKey allows an organization to deploy Passwordless Authentication on each web application allowing a clean, secure interface to be deployed straight away. It doesn’t compete at the layer where users are receiving digital identity. Rather, it simply provides an alternative means of login to each web application.
Once an IAM transformation project has allocated digital certificates all users then MasterKey can be used to provide Passwordless Authentication to that new foundation.
How do we set up a Test Drive?
This is virtually Self-Service. Simply request a Test Drive from us and we’ll send you an access code and the instructions to integrate the API.
Your front-end programmer needs to add 20-lines of code and setup a separate Test login page. It is little more than a cosmetic change to display a QR code on workstations.
This Test page can be shared with a few choice users as a Proof-of-Concept.
It can then be shared with a wider group of users as a Pilot.
The pilot can be progressively expanded in a Canary rollout, until all users are operating off it.
At the point where you are ready to commit and want your own brand on the user’s phone, then we request a formal contract. We in turn setup dedicated infrastructure for your organization.
How does the user implement Biometrics?
WebAuthn, part of the FIDO2 standard, is an emerging standard allowing web applications to leverage user mobiles to prove that a person is present.
This can be though a fingerprint, a screen swipe patter, a physical device over Blue-Tooth, or simply a PIN. This data never leaves the users mobile so it not transmitted. Instead it uses Public Key Encryption.
This can be enabled at any time during the life of the system. Simply contact us and we’ll turn it on. The users mobile will prompted next time they login, to choose their preferred way to give proof-of-presence.
It can also be disabled at any time during the life of the system.
What are risks, both technical and security?
There is no technical risk. In a worst case scenario where MasterKey is cut-off for any reason, the user simply gets a normal login screen. They enter their user credentials and login.
There is no security risk. The user’s normal credential input is simply abstracted away so it never need to be entered again. It is controlled by your organizations webserver by triangulating with the users mobile, and the user themselves.
Can MasterKey secure devices (workstations and mobiles) and locally installed apps?
MasterKey only works with web applications, where users log in via a web browser.
How simple is this to deploy? Really!
The integration is simply adding about 20-lines of code to make cosmetic change to the user login screen. It can be deployed immediately because it simply provides users an alternative login experience.
On workstations it is offered as a clear choice with three words, “Scan to Login”. When users decide to investigate and scan it their system logins.
On mobiles, it is virtually seamless as there is no QR code.
When done carefully there should be no Change Management with users. They simply adopt it by osmosis.
How secure is Passwordless Authentication compared to 2FA?
MasterKey provides Multi-Factor Authentication. Something you know (credentials), something you have (mobile phone) and something you are (fingerprint or such).
It achieves MFA in 1-invisible-step (not 2 steps), and without requiring any client software or user setup.
Can users got Passwordless Authentication to other websites?
BankVault MasterKey is a webserver-controlled architecture that harnesses the users mobile phone. It only applies to the website is configured on.
How can we secure our users accessing other external websites?
BankVault SafeWindow and WebSafe are end-user tools that protect user accessing any online service. It allows them to take control of their own security by sidestepping any malware on their local device. E.g. Keyloggers, Man-in-the-Middle, Man-in-the-Browser, Ransomware and more. Any potentially hazardous website, web-link or email attachment can be opened with complete immunity. There is no client software required and runs as a SasS web service.
BankVault Pty Ltd Address
Address: 92 Natoma St., Suite 211,
San Francisco, CA USA 94105
Telephone No. +1 650 283 0525