Customer portal

I think what is best will depend on the details of individual business normal operating procedures. So I do not think any specific arrangement should be hard coded into Manager hence

Awesome feature!
I am not sure about processing sales orders etc. but the idea that a customer can download their invoices / credit notes and hopefully statements in stead of requesting copies of documents which has already been sent to them is magic. Some form of security is critical though. It can start as a simple implementation of a password field for each customer, even considering using the customer Business Identifier would be easy to implement and more secure than a link giving direct access.

I think as it is now is great. As a user of the desktop edition I can create and test customer portals, but since all the files are stored only on my computer the URL (which gives a local path) is useless to anyone else and they wonā€™t be able to access it remotely. So it lets me test out the feature without really being able to use it. If I want to get full functionality I need remote storage which the cloud and server editions provide, thus giving me an incentive to upgrade.

1 Like

@Tut I agree with a lot of what you have just said. The customer portal needs to be built with cyber security in mind.

I appreciate that you donā€™t see much value in the portal for your business. However, for my business it does have the feel of moving from the stone age to the future. The customer shall know electronically and precisely where he stands with us in regards to business transactions in between us. This as AMM put it, is exactly the whole point of the portal.

The difference between the portal and email is that email is by very definition insecure. A portal where you have to login and view the invoices etc is a much more secure method relatively speaking. With cyber security on the rise, removing quotes and invoices from email communication is a far better way to go as a lot of information is exposed via email communication.

However, I agree that the security of the Customer Portal is of serious concern. What I would suggest is that Manager implement a customise setting similar to the main Manager program, so that each business can choose what tabs to display in the customer portal. This would address most peopleā€™s concerns about the presence of sales orders in the customer portal.

I agree that a password alone is not optimal security, but apart from IP geolocation restrictions (say blocking all access outside your country if all your clients are local), there is not much more that one can provide. It would not be practical to issues hardware fobs to clients or set them up with certificates etc.

The only suggestion that I would recommend is that the portal email them and say you just logged in from Ip address at this time. Is this you and if not change your password immediately.

At the moment, there is absolutely nothing that a hacker could do on the portal, they canā€™t change anything and they canā€™t download anything. If we remove tabs such as sales order, then already security has improved. I fully agree that Manager restrictions should apply to the customer portal. Speaking for myself, I donā€™t want clients to change quotes, orders, invoices, delivery notes or credit notes. They can download or view these forms. The only ā€œeditableā€ feature that I want (at this point in time) is for them to approve a quote and upload their PO number. Once it has been approved by the client, it canā€™t be changed again. so again, a hacker would be very limited in what they can actually change.

Note, I would recommend that there are no credit card or other payment details within this portal. That is a security nightmare. The customer can pay by bacs.

I am not convinced that there is much difference between a customer portal that is part of the accounting program and a portal that is on a CRM system that links up with the accounting program. At the end of the day, the system is only as secure as the developer makes it and it is possible for the customer portal to operate as a completely secure silo system.

I would use the desktop version just for testing the portal. If you want clientā€™s to view the portal, then your business needs the cloud or server version. I agree that questions around what happens if the portal is disabled and adding restrictions to the portal to say only show unpaid invoices. Manager already has in place a customise option to add/remove tabs and a permissions area to allow users access to specific areas, with view, edit etc. This can be and should be extended to the customer portals.

I do agree with your concerns however, about allowing clients to accept quotes and upload po numbers which in effect are altering the accounting program. In theory you donā€™t really want clients doing anything in Manager itself effectively. Which is why I am calling for the removal of the sales order tab on Customer portal and restricting clients only to approving quotes (they should not be able to do anything else to the quote) and obviously upload their PO number. Perhaps a solution would be that clients could approve a quote and upload their PO and I have to login and accept their pending changes. This would ensure that if somehow a portal got hacked, I could deny pending changes? This is how I would do it. We should have to approve customer pending changes.

So in short, I do agree with your concerns. However, by the use of tab customising, Manager permissions, approve client pending changes, Geolocation IP restriction, username and passwords, emailing client login verification check and not allowing sensitive information such as credit card details will all go a long way to making the portal as secure as possible.

This is an excellent feature and a step in the right direction. This is just the beginning, Iā€™m hoping there will be a lot of improvement to the customer portal feature in the coming months.
Iā€™m hopeful customers will be able to generate their own statements, see payment methods, place an order and see the confirmation and the fulfilment of the order (quantity to deliver), price list, customerā€™s aged receivable report, announcements (such as a change in office location, payment method, and price list.) and a lot more things.

Iā€™m confident Lubos has got the security issues checked and will continue to ensure that.

2 Likes

I personally think that payment methods should be restricted to getting the client to login to the bank and handling the transfer there. It seems like a massive security concern for very little gain to handle payments internally. Let the banks assume the risk and security headaches and just handle the ordering process within Manager. I will push very hard against having a payment portal within the customer portal. I think it creates a massive liability for NRG Software and for myself for virtually no gain. They can easily pay through their bank. Why re-invent the wheel.

Iā€™m not saying payments should be handled from there, Iā€™m only saying that Payment methods can be shown there e.g., Bank account and PayPal details.

1 Like

I wouldnā€™t be so sure as to this - but then I am not a cyber-security expert. But I am sure that once a hacker has some access, he/she can probe for any cracks elsewhere in the code and I wouldnā€™t be betting my money on keeping them out

Customer portal is indeed a great idea and developing it gradually is another idea.

Meanwhile, it will solve a lot of issues if Customer Statement is added from report. I observed that if you allow payments made by customers auto default to any invoice, the true picture of must invoices may not be seen.

Customer statement on the other hand will tell customer all his debits and credits transactions.

Noted. I was referring more to what they could do as an end user, rather than somebody who had programming abilities. Most hackers gain access via weak passwords and they make use of what information is available via that login. There are very few (relatively) speaking that have the technical ability to probe the coding to see what else they can gain access to. But you are correct that is technically possible. This is why itā€™s so important that the portal is developed from the ground up with security first and foremost rather than added on as it were.

1 Like

With the desktop edition, a customer would not be able to use the link, so if someone wants to use the feature properly theyā€™ll need to buy server/cloud edition anyway.

Having the customer portals visible on desktop edition is helpful for testing, though. So Iā€™m glad itā€™s available. At the very least, it makes it easier to debug issues for other people on the forum.

Updated from 21.6.6 to 21.6.7, and can confirm that the date format on customer portals is now correct. Thanks for the heads up! :slight_smile:

The business logo appears fine on invoices for me, within the customer portal.

Interesting stuff. Currently really just a customer specific menu path to the same document views as in the app. Some general thoughts;

  • Summary - view account balance & aging?
  • Ordersā€¦,Order visibility to customer isnā€™t weird - I currently email orders to customers but do title them ā€˜Order Acknowledgementā€™ via a custom theme (custom title not yet available in forms defaults) making sure the order description is PO#12335 etc. Still an acknowledgement is a snapshot as of when the order is taken whereas making this available via a portal will drive the need to be able to clearly see order line status, qty ordered, shipped backordered and invoiced by line to truly show the customer order status in a manner useful to the customer.
  • of course security, security, security.

Will be following where this goes.

Passwords are for dumber children. You need a whole set of layered options for security controls:

  • All user accounts require Multi-factor authentication, including smartcard, hardware tokens.
  • User login banner agreement to surveillance and perhaps other nondisclosure clauses.
  • Password strength.
  • Password reset interval.
  • Expiration for unused user accounts,
  • Selection of externally hosted Identity providers.
  • Role-based security settings (I think I mentioned this before).
  • Web session timeouts.
  • Tagging data as PII, or might be combined as such.
  • Enforce encryption for all customer messaging (i.e., setting encrypt customer files and messaging)
  • Reports of these compliance settings.
  • Dozens more options. Good grief.

NIST 800.53 Rev 5 is publicly available. Better leave a copy in the bathroom. After what happened to American oil and meat these last few weeks, the heat is coming up. Insurance companies are poised to insist that IT security compliance be audited/reported at smaller-scale operations.

By building the features to allow public customer access (as opposed to forcing organizations intentionally engage workarounds to communicate with customers) you are putting manager.io some crosshairs. Manager.io must to consider zero trust, role based access with separation of duties, non-repudiation, compliance reporting.

Itā€™s not too big a reach to imagine manager.io users forced by insurance policies, or by contractual requirements, to abandon wonderful manager.io, in favor of a sucky alternative that happens to have more comprehensive security packaging.

Thatā€™s a bit too much. And imo, checking all of those will only make for an unpleasant user experience what with the slowness, inevitable lockouts and the increased subscription and administration costs. Donā€™t sign me up for that.

I doubt that would ever happen, first because only a tiny portion (if any) of manager users would insure against cyber security risks as opposed to the large numbers who appreciate simplicity.

Even if a lot opt for cyber security insurance, theyā€™re not going to a competitor, their only option is to develop their own security solution.

In fact, I cannot even point to a single government body, bank, online id provider or even tech site that checks all of those.

I think realistically speaking, those are the available options:

  • User login banner agreement to surveillance and perhaps other nondisclosure clauses. (Preferably in a link plus an added disclaimer and waiver of user accepted risks)
  • Selection of externally hosted Identity providers. (Not sure how this is going to work, maybe through invitation, but thatā€™s fine)
  • Web session timeouts.

Otherwise manager seriously risks being pigeonholed into a tiny niche market.

I like having customer portal and was looking forward actually to expose it to some of my customers, but after reading all the comments it does raise some concerns on security and data ownership.

We still missing at minimum

  • Multi factor authentication
  • Password strength enforcement

Please donā€™t build external link using business ID and customers ID as this just gives everyone too much information to start looking for vulnerabilities.

Also unauthenticated users can be anyone, it can be automatic bot scraping all information and Summary tab includes a lot of private information Full Name, Address, email. Anyone exposing that might be scrutinized under EU law and GDPR rules.

As I understand xero does allow to share invoices with customers, however it would force all customers to create account with xero before that is allowed.

Alternative without user login maybe something like that could be implemented:

Flow when each time client wants to access it he would needs to get new link sent to their email.

  1. Access URL as it is currently but would prefer hiding business and customer ids from externally accessible links as it gives too much detail on internal db, just generate unique id for each customer
  2. It shows message stating please check you email to gain access
  3. Customer receives email with clickable link and special auth token https://manager.io/customer?id=SomeRandomSecureTokenThantwillExpireinFewHours
  4. Clicking that link gets you into customer portal

Would definitely add control what is allowed to be exposed to that portal:

  1. Invoices only by default
  2. Allow disabling summary or allow choosing which fields are exposed to customer portal
  3. Everything else is rather opt-in rather than by default enabled

Will watch carefully on it evolving, however at the current stage I would not use due to risk of exposing private information.

Current security standards are to not enforce a reset interval, as it encourages the user to just use incrememental passwords.
badpassword1
badpassword2
badpassword3
etc.

Otherwise, I agree that most of what youā€™ve said is in line with some of the best recommendations at the moment. But is probably a bit overkill for Manager.

If security is to be taken seriously, a minimum IMO would be an off-the-shelf password strength checker to encourage good choices, and the option for Multi-Factor Authentication with an app like Authy.

Like yourself, I think the security of the customer portal and to a lesser extent is of some concern and it needs to be improved upon.

However, you have to balance security with usability. If customers or users frequently have problems logging in, they will end up not using it and taking their business elsewhere. Most of what you suggest is not implemented by even companies like Amazon! It would be ridiculous and counter-productive to implement it for Manager which is targeted at small businesses.

Hardware tokens are not cheap and not practical if you have hundreds of clients. For small businesses that use Manager itself, again hardware tokens are not always practical nor cost effective. Manager has a niche market for small businesses, not enterprises.

User login banner agreement etc does nothing to improve security and I would consider it counter productive to have it.

Password reset interval has long since been abandoned as it has simply resulted in people sticking their passwords on their monitors.

Expiration for unused accounts is a feature worth considering however as are some of your other suggestions such as MFA. But ultimately you need to consider the target market of Manager and balance the security accordingly. Hardware tokens are not suitable for this market sector.

What I would push for is linkage with haveibeenpowned to check password strength and to ensure password has not been involved in a breach elsewhere. I would also recommend IP Restrictions for different parts of the program eg this IP for this client portal, that IP for that client portal and this ip for that head office. IP restrictions is a very effective way to block a lot of access with no effort on the user end other than only logging in on site as it were. Obviously Ip restrictions for clients only work if your business is like mine and works with clients on an annual basis rather than say Amazon where the clientbase could be anyone, anywhere any day.

Letā€™s improve security of Manager by implementing password strength checker (via haveibeenpowned) and MFA and IP Restrictions for business side of Manager (even if itā€™s just restricting to your country or town) and encryption for both Manager and customerportal data and last but not least ensuring security permissions to access tabs and data in both main and customer portal sections provide the users with the minimum restrictions that they need. Role based security will help to organise the permissions better, but more granular control is always more desirable. For the rest of your suggestions, they are just massively overkill and would end up causing more problems than they solve whilst not appreciably improving security. The biggest cause of breaches is weak passwords and lack of MFA. Solve that and you have largely solved most of the security breaches. Not all, but most.

1 Like

If the order status shows all this - delivery details, backordered etc. Then yes, including the sales order on the customer portal makes sense. Perhaps this is what @lubos is thinking? I can appreciate the value of the client being able to see the progress of the order, even if itā€™s not massively useful to my clients per se.

Dear Lubos,
As you have started to make it more like ERP, please consider it to be used in distribution and dealership nature as well. Single business with their distributors getting their login to keep record of sales and customers specific to those distributors only.

Good job and good luck.