User Authentication

In the previous section, we discussed the fundamentals of machine-to-machine authentication. In this section, we'll delve into the process of user authentication, which involves verifying the identity of users who are interacting with applications, systems, and machines.

When it comes to user authentication, HexaEight Platform follows a more complex process compared to machine to machine authentication. For users, EMail Login Tokens are exclusively issued only through our official HexaEight Authenticator Mobile App. It's not possible to generate EMail Login Tokens outside of the app because doing so could open up the potential for bad actors to misuse the tokens for malicious purposes.

HexaEight Sessions Introduction

To facilitate user authentication within applications and systems, we have introduced a new concept called HexaEight Sessions.

HexaEight Sessions are an integral part of user authentication in applications and systems, and consists of two main components:

  1. Generic Resource Identity Login Token
  2. User Authentication Key

When a user requests authentication in an application outside the official mobile app, the application first generates a random password. Then, the user chooses a Generic Resource Identity to assign this random password for generating the Login Token to the Client Application. Afterward, the user authorizes the resource identity token using his/her Email identity token. Upon authorization, HexaEight Platform issues the following to the requesting application:

a. Login Token associated with the Generic Resource Identity b. A User Authentication Key associated with the User EMail Address c. A Set Of Other Asymmetric Shared Keys required to contact the Authorization Server as well as HexaEight Platform.

These three components are bundled into a JWT token, which is then issued to the Client application. This JWT token is referred to as a HexaEight Session. HexaEight Sessions enable direct interaction with other Resources, systems, and machines as the logged-in user. To achieve this capability, the user authentication key combines with the asymmetric shared key of the destination, while encrypting requests to a destination. In other words, a user authentication key allows a Generic Resource Identity to impersonate the user inside HexaEight Session.


HexaEight Session Generation Step By Step

  • Step 1
%%{init: { 'theme': 'forest' } }%% sequenceDiagram participant Alice As Alice participant HMA As HexaEight Mobile App participant CA As Client Application Alice->>HMA: Enters Password For an EMail Vault Alice->>CA: Invokes and Enters EMail Address
  • Step 2
%%{init: { 'theme': 'forest' } }%% sequenceDiagram participant CA As Client Application participant HP As HexaEight Platform CA->>HP: Generates Random Password, Sends Random Password HP-->>CA: Sends QR Authorization Code
  • Step 3
%%{init: { 'theme': 'forest' } }%% sequenceDiagram participant HMA As HexaEight Mobile App participant CA As Client Application HMA->>CA: Scans The QR Code Using Resource Identity Token HMA->>CA: Authorizes QR Code Using An EMail Idenitity Token
  • Step 4
%%{init: { 'theme': 'forest' } }%% sequenceDiagram participant HMA As HexaEight Mobile App participant CA As Client Application participant HP As HexaEight Platform HMA->>HP: Sends QR Code Authorization Request HP-->>CA: Generates And Sends HexaEight Session

HexaEight Session Generation Process

%%{init: { 'theme': 'forest' } }%% sequenceDiagram participant Alice As Alice participant HMA As HexaEight Mobile App participant CA As Client Application participant HP As HexaEight Platform Alice->>HMA: Enters Password For an EMail Vault Alice->>CA: Invokes and Enters EMail Address CA->>HP: Generates Random Password, Sends Random Password HP-->>CA: Sends QR Authorization Code HMA->>CA: Scans The QR Code Using Resource Identity Token HMA->>CA: Authorizes QR Code Using An EMail Idenitity Token HMA->>HP: Sends QR Code Authorization Request HP-->>CA: Generates And Sends HexaEight Session

Applications can use HexaEight Sessions to request for Asymmetric shared keys of other Users, Domains Or Generic Resources. When Applications request for Asymmetric shared keys they are referred to as Client Tokens.

Summary

HexaEight Sessions Is a JWT token bundled by HexaEight Platform and issued to Client Application requesting authorization on behalf of the user.

HexaEight Sessions constists of three components

  • Login Token associated with the Generic Resource Identity Token
  • A User Authentication Key associated with EMail Identity Token
  • A Set Of Other Asymmetric Shared Keys required to contact the Authorization Server as well as HexaEight Platform.

A Asymmetric Shared Key fetched by HexaEight Session is also referred to as a Client Token.