# User Authentication

In the previous section, we discussed the fundamentals of machine-to-machine authentication. In this section, we'll delve into the process of user authentication, which involves verifying the identity of users who are interacting with applications, systems, and machines.

When it comes to user authentication, HexaEight Platform follows a more complex process compared to machine to machine authentication. For users, EMail Login Tokens are exclusively issued only through our official HexaEight Authenticator Mobile App. It's not possible to generate EMail Login Tokens outside of the app because doing so could open up the potential for bad actors to misuse the tokens for malicious purposes.

To facilitate user authentication within applications and systems, we have introduced a new concept called HexaEight Sessions.

HexaEight Sessions are an integral part of user authentication in applications and systems, and consists of two main components:

Generic Resource Identity Login Token
User Authentication Key

When a user requests authentication in an application outside the official mobile app, the application first generates a random password. Then, the user chooses a Generic Resource Identity to assign this random password for generating the Login Token to the Client Application. Afterward, the user authorizes the resource identity token using his/her Email identity token. Upon authorization, HexaEight Platform issues the following to the requesting application:

Login Token associated with the Generic Resource Identity
A User Authentication Key associated with the User EMail Address
A Set Of Other Asymmetric Shared Keys required to contact the Authorization Server as well as HexaEight Platform.

These three components are bundled into a JWT token, which is then issued to the Client application. This JWT token is referred to as a HexaEight Session. HexaEight Sessions enable direct interaction with other Resources, systems, and machines as the logged-in user. To achieve this capability, the user authentication key combines with the asymmetric shared key of the destination, while encrypting requests to a destination. In other words, a user authentication key allows a Generic Resource Identity to impersonate the user inside HexaEight Session.

Step 1

%%{init: { 'theme': 'forest' } }%%
sequenceDiagram
    actor Alice
    participant HMA As HexaEight Mobile App
    participant CA As Client Application
    Alice->>HMA: Enters Password For an EMail Vault
    Alice->>CA: Invokes and Enters EMail Address

Step 2

%%{init: { 'theme': 'forest' } }%%
sequenceDiagram
    participant CA As Client Application
    participant HP As HexaEight Platform
    CA->>HP: Generates Random Password, Sends Random Password
    HP-->>CA: Sends QR Authorization Code

Step 3

%%{init: { 'theme': 'forest' } }%%
sequenceDiagram
    participant HMA As HexaEight Mobile App
    participant CA As Client Application
    HMA->>CA: Scans The QR Code Using Resource Identity Token
    HMA->>CA: Authorizes QR Code Using An EMail Idenitity Token

Step 4

%%{init: { 'theme': 'forest' } }%%
sequenceDiagram
    participant HMA As HexaEight Mobile App
    participant CA As Client Application
    participant HP As HexaEight Platform
    HMA->>HP: Sends QR Code Authorization Request
    HP-->>CA: Generates And Sends HexaEight Session

%%{init: { 'theme': 'forest' } }%%
sequenceDiagram
    actor Alice
    participant HMA As HexaEight Mobile App
    participant CA As Client Application
    participant HP As HexaEight Platform
    Alice->>HMA: Enters Password For an EMail Vault
    Alice->>CA: Invokes and Enters EMail Address
    CA->>HP: Generates Random Password, Sends Random Password
    HP-->>CA: Sends QR Authorization Code
    HMA->>CA: Scans The QR Code Using Resource Identity Token
    HMA->>CA: Authorizes QR Code Using An EMail Idenitity Token
    HMA->>HP: Sends QR Code Authorization Request
    HP-->>CA: Generates And Sends HexaEight Session

Applications can use HexaEight Sessions to request for Asymmetric shared keys of other Users, Domains Or Generic Resources. When Applications request for Asymmetric shared keys they are referred to as Client Tokens.

Summary

HexaEight Sessions Is a JWT token bundled by HexaEight Platform and issued to Client Application requesting authorization on behalf of the user.

HexaEight Sessions constists of three components

Login Token associated with the Generic Resource Identity Token
A User Authentication Key associated with EMail Identity Token
A Set Of Other Asymmetric Shared Keys required to contact the Authorization Server as well as HexaEight Platform.

A Asymmetric Shared Key fetched by HexaEight Session is also referred to as a Client Token.