Introduction

Before we begin, we would like to highlight the following components that are required for integrating only HexaEight Authentication without using HexaEight Sessions (that also provides Tokenless Authetncation with Application Layer Encryption).

  • HexaEight Token Server (With License)
  • Customer Application Server
  • User With HexaEight Authenticator Mobile App

HexaEight provides unlimited Authentiation for any number of users using the HexaEight Token Server License

Components

We showcase how HexaEight authentication can be integrated for most uses cases with your Application. Our system uses a unique approach of authenticating the user by using a one-time access code.

Component Description
User (U) The end-user interacting with your Application
Customer Server (CS) Handles session code generation, JWT/cookies creation(if required) and access code verification
HexaEight Token Server (HS) Manages user authentication, access code generation using session codes, and saving access code prefix, suffix and access code hash for verification by Customer Server.
Local Storage Or FileShare Or S3 (S) Used for storing session codes and access codes

Authentication Flow

%%{init: { 'theme': 'forest' } }%% sequenceDiagram participant User as User (U) participant CustomerServer as Customer Server (Application) (CS) participant LocalStorage as Local Storage(Or S3 Or FileShare) (S) participant AuthServer as HexaEight Server (Authorization) (HS) CustomerServer->>LocalStorage: Generate and store session code CustomerServer->>User: Displays Session Code to User User->>AuthServer: Initiate login using session code AuthServer->>AuthServer: Authenticate user in Mobile App AuthServer->>LocalStorage: Retrieve session code AuthServer->>AuthServer: Generate one-time access code AuthServer->>LocalStorage: Store access code prefix and suffix along with access code hash AuthServer-->>User: Securely Return one-time access code using HexaEight Patent Pending Encryption via HexaEight Authenticator Mobile App CustomerServer-->>User: Enter one-time access code User->>CustomerServer: Revals one-time access code CustomerServer->>LocalStorage: Retrieve access code prefix and suffix CustomerServer->>CustomerServer: Validates access code using prefix and suffix and compares with access code hash alt Valid access code CustomerServer->>CustomerServer: Generate and sign JWT CustomerServer-->>User: Login successful else Invalid access code CustomerServer-->>User: Authentication failed end

  1. Session Initialization:

    • The Customer Server (CS) generates a session code and stores it in Storage (S) with the email hash of the user.
    • Application displays the session code to the User (U)

  2. User Generates One-Time-Access-Code:

    • The User authenticated in HexaEight Mobile App, contacts the HexaEight Authorization Server (HS) and enters the session code to obtain an access code in the mobile application.
    • HexaEight Authorization Server (HS) saves the one-time-access-code prefix and suffix along with the complete hash value of the prefix+one-time-access-code+suffix in the Storage(S) for that session code

  3. User Authentication:

    • The User (U) enters the one-time-access-code in the Application (Step a).
    • The Customer Server (CS) retrieves the prefix, suffix and complete hash present for the session code from Local Storage (Step b) .
    • The Customer Server (CS) uses the access-code entered by the user in the Application and computes the complete hash of the one-time-accesscode by using Hash(prefix+one-time-access-code+suffix) (Step c).
    • The Customer Server (CS) will verify the above Hash value with the complete hash value obtained from the session code (Step b)
    • If the complete hash value matches with the computed hash value, the user authentication is successful
    • If the complete hash value does not match with the computed hash value, the authentication is UNsuccessful

  4. Post Authentication (Optional)

    • The Customer Server (CS) can generate JWT using its secret key or enforce https secure cookies or implement any other post logic upon successful user authentication.

Benefits of using HexaEight Authentication:

  1. Complete control of authentication process
  2. Can be implemented in scenarios where client does not have access to a browser
  3. Highly secure since HexaEight Authorization Server and Customer Server are coupled and controlled by Customer (you).
  4. User Registration, Sign ups and sending email verification links, saving user passwords can all be avoided thus saving huge costs.
  5. No Database Requirement in HexaEight Authorization Server since HexaEight Platform directly manages users
  6. User Passwords and resets in HexaEight Mobile Application are handled directly by HexaEight
  7. HexaEight Server (HS) Authorization Server can run even on http since it uses HexaEight patent pending encryption process to securely deliver one-time-access code to the mobile application
  8. HexaEight Server (HS) Authorization Server can authenticate user belonging to any domain including external domains like Gmail, facebook and others without using Social Logins.
Summary

This custom authentication system provides a secure, integrated approach to user authentication and session management. since it uses a unique approach involving a one-time access code for user authentication,