"How can I trust MasterKey?"
"Its not hosted in my network, and it has my users login credentials"
You don't trust it! MasterKey is a Trustless system. Your network doesn't have to trust it with anything.
- Your webserver generates and holds a unique security secret on every session.
- Your users mobile phone generates a unique security secret every session too.
- The users credentials are encoded by an algorithm that combines both security secrets together. The users input can only ever be deciphered and used inside the original webserver when it it triangulated again with the users mobile phone, and optionally with the user proving they are also present with a biometric scan.
- This isn't security by obscurity. It's a new type of protocol sets up multi-stage process involving 2-3 external reference points (webserver, the mobile browser, the user fingerprint) which encode, encrypt, store, retrieve, and then decipher the credentials.
- This is published openly in a Patent application. It's open for peer review and structured Penentration Testing. It is pretty obvious to the programmer integrating it into a webserver because the webserver generates the security secret so it is in complete control. If anybody got hold of the data store server or intercepted the flow of data, they would need billions of years to decrypt it and then be left with the next layer - contextless encoded data. In other words, its a trustless system where the information is double-encoded-and-encrypted.