Identity Tokens

HexaEight Authentication can be broadly divided into two categories: one for users and another for machines. It is essential to understand the following terminology when working with HexaEight authentication:

User

Any individual who has access to an email address and a mobile phone, and can install the HexaEight Authenticator Mobile Application is considered a user.

Machine

Any system, AI, or device that does not have the capability to use a mobile phone for authentication is considered a machine.


HexaEight EMail Identity Tokens

HexaEight EMail Identity Tokens are used for User Authentication but also serve several purposes beyond allowing users to authenticate themselves.

These tokens are also utilized by Machine Owners to create Resource Identity Tokens in order to authorize Machines and Devices

EMail Identity Token Generation

To generate a HexaEight EMail Identity Token, the user must have a permanent email address and a mobile phone capable of installing the HexaEight Authenticator Mobile App

sequenceDiagram actor Alice participant HexaEight Mobile App participant HexaEight Platform Alice->>HexaEight Mobile App: (1) HexaEight Mobile App->>HexaEight Platform: (2) HexaEight Platform-->>HexaEight Mobile App: (3) HexaEight Platform-->>Alice: (4) Alice->>HexaEight Mobile App: (5) HexaEight Mobile App->>HexaEight Platform: (6) HexaEight Platform-->>HexaEight Mobile App: (7)

Caption Description
1 Creates A New Vault, Registers An Email Address And Triggers Email Verification Request
2 Requests EMail Registration
3 Responds With Email Token Request
4 Sends an Email Invite With QR Code
5 Alice Scans The QR Code In EMail using EMail Token
6 Sends Password And QR Code Verification Data
7 Receives Email Identity Token

EMail Identity Token

  • An EMail Identity Token is comprised of a Login Token linked to the user's email address. The Login Token is used in conjunction with the user's password to retrieve pre-authentication data and asymmetric shared keys from the HexaEight Platform. Even if the Login Token is stolen, it does not pose any security threat without the user's password.

  • HexaEight Platform does not store user passwords, instead it uses the user password to only generate a Login Token which helps the platform to generate asymmetric shared keys for different destinations in the future for that user.

Passwords
  • The HexaEight Authenticator Mobile App is designed not to store passwords associated with EMail Identity Tokens. Therefore, it is the responsibility of the user to remember the password associated with the EMail Identity Token.

  • When the user enters a password in the Mobile Application, the password is stored in memory until the application is terminated. The app can be pushed to the background, allowing the user to authenticate multiple times without re-entering the password every time.

  • However, if the user forgets the password, the EMail Identity Token becomes unusable, and the user will need to generate a new token


HexaEight Resource Identity Tokens

HexaEight Resource Identity Tokens are the core of the HexaEight Authentication system, providing a unique identity for machines, devices, and systems. They can also be assigned to any processes, functions, or objects that have the capability to securely store a password and use HexaEight encryption libraries. These tokens are essential for authenticating and authorizing various entities, such as users, machines, and devices.

Resource Identity Generation

To generate a HexaEight Resource Identity Token, the user must already have an Email Identity Token generated.

sequenceDiagram actor Alice participant HexaEight Mobile App participant HexaEight Platform Alice->>HexaEight Mobile App: (A) HexaEight Mobile App-->>Alice: (B) HexaEight Mobile App->>HexaEight Platform: (C) HexaEight Platform-->>HexaEight Mobile App: (D) HexaEight Mobile App->>HexaEight Platform: (E) HexaEight Platform-->>HexaEight Mobile App: (F) HexaEight Mobile App-->>Alice: (G)

Caption Description
A Sets Password For The EMail Vault And Chooses To Creates A New Resource
B Confirms Resource Type (Domain/Generic) And Confirms The EMail Address To Be Used
C Requests Asymmetric Shared Key of HexaEight Platform
D Responds With Asymmetric Shared Key
E Encrypts Request For New Resource Using User Password and Asymmetric Shared Key
F Decrypts The Request And Responds With New Encrypted Resource Identity Token
G Decrypts Resource Token Using User Password and HexaEight Platform Key And Saves The Resource Login Token In The Mobile.