DEV Community

lyc233333
lyc233333

Posted on

Hongmeng Next distributed authentication: the secret of "sensitivity-free travel" across devices🔑

Hi~ I am Xiao L!In Hongmeng's distributed world, user authentication is like a "one-card" - after mobile phone authentication, tablets, car machines and other devices can "pass through sensorlessly".Today I will talk about how Hongmeng makes cross-device authentication fast and safe~

1. The "two major problems" of distributed authentication🤯

Scene pain points

  1. The state between devices is not synchronized
  2. Example: The phone logs into the smart home app, but the speaker requires a password to be entered again

  3. Consequences: User experience is split, and even misjudgment of permissions

  4. Cross-device trust risk

  5. Example: Hacker forged the identity of device A and tried to obtain user data through device B

  6. Consequence: Data breach, system attack

2. Hongmeng’s “Three Skills” solution🚀

(I) Distributed database: "safe" for authentication information

Core logic:

  • The device of the same user forms a "certification group" (such as mobile phone + tablet + car machine)
  • The authentication status is synchronized to all devices in the group in real time
  • Sensitive data (such as fingerprint templates) are stored encrypted and scattered across different devices

Code Example: Status Synchronization

import distributedDB from '@ohos.distributedDB';

// The user logged in successfully on his mobile phone
async function loginSuccess(userId: string) {
  const group = await distributedDB.getGroup('user_auth_group');
await group.put('auth_status', 'valid'); // Write to authentication status
await group.sync(); // Synchronize to all devices in the group
}

// Check the certification status of the vehicle terminal
async function checkAuth() {
  const group = await distributedDB.getGroup('user_auth_group');
  return group.get('auth_status') === 'valid';
}
Enter fullscreen mode Exit fullscreen mode

(II) Soft bus security channel: "encrypted express delivery" of certified data

Transfer Process:

  1. ** Device mutual identity verification**: Exchange digital certificates (similar to ID cards)
  2. Dynamic key encryption: Generate a unique key for each communication to prevent interception
  3. Bi-way verification data: Sender's signature + receiver's signature verification, tamper-proof

Critical Code: Secure Communication

import distributedBus from '@ohos.distributedBus';

// Send authentication tokens to the car computer
async function sendTokenToCar(deviceId: string, token: string) {
  const session = await distributedBus.createSession(deviceId);
// Encrypt the token with the device public key
  const encryptedToken = await crypto.encryptWithPublicKey(token, devicePublicKey);
  await session.send(encryptedToken);
  session.close();
}

// The vehicle machine receives and decrypts
async function receiveToken() {
  const session = await distributedBus.acceptSession();
  const encryptedToken = await session.recv();
// Decrypt with private key
  const token = await crypto.decryptWithPrivateKey(encryptedToken, localPrivateKey);
return verifyToken(token); // Verify the validity of the token
}
Enter fullscreen mode Exit fullscreen mode

(III) Group authentication strategy: Flexible "passing rules"

Tracking Certification Example:
| Device Type | Authentication Method | Permissions within the Group |
|------------|-------------------|------------------|

| Mobile phone | Fingerprint + password (strong authentication) | Other devices can be authorized |
| Tablet | Device lock screen password (weak authentication) | Inheriting mobile phone permissions |
| Smart speakers | Voiceprint recognition (medium certification) | Basic operations are allowed only |

Logical implementation:

// Determine the safety level of the equipment
function getDeviceSecurityLevel(deviceType: string): number {
  switch(deviceType) {
case 'phone': return 3; // The highest level
    case 'tablet': return 2;
    case 'smartSpeaker': return 1;
  }
}

// Dynamically adjust the certification process
async function adaptAuthFlow(deviceId: string) {
  const level = getDeviceSecurityLevel(await getDeviceType(deviceId));
  if (level >= 2 && isGroupAuthenticated()) {
return 'skip'; // Unsecured authentication
  } else {
return 'full'; // Complete certification process
  }
}
Enter fullscreen mode Exit fullscreen mode

3. Practical scenario: "cross-device office" certification optimization💼

Scene Description

  • Users use fingerprint to log in to the enterprise OA system on their mobile phone
  • Automatically inherit login status when switching to tablet editing documents
  • When using a colleague's computer temporarily, secondary verification is required (such as SMS verification code)

Key implementation steps

  1. Mobile login:
  2. Complete fingerprint + password authentication and generate short-term tokens (valid for 30 minutes)

  3. Token encrypted storage to distributed database and synchronized to tablet

  4. Tablet Access:

  5. Detected that there is a valid token in the local area and release it directly

  6. Record operation log: User A edits documents on the tablet at 14:20

  7. College's computer access:

  8. The device is not in the authentication group, triggering secondary verification

  9. The mobile phone receives a verification code request, and after entering it, it generates a temporary token (valid for 5 minutes)

4. "Balance technique" of safety and efficiency ⚠️

1. Data Minimization Principle

  • No original password is stored, only hash value (salt processing)
  • Local encrypted storage of biometric data, not uploaded to the cloud

2. Dynamic risk perception

  • Monitor abnormal login: off-site equipment, high-frequency authentication failed
  • Automatically trigger strong authentication: If you require fingerprint verification after 3 consecutive weak authentication failures

3. Privacy Protection Design

  • Users can clear group authentication data at any time
  • After the device exits the group, the local authentication information will be automatically deleted

5. Future trend: "Insensitivity Evolution" of Certification🚀

  1. Behavior authentication: Automatically identify users through typing rhythm and gesture habits
  2. Quantum encryption authentication: Using quantum key distribution technology to achieve absolutely secure authentication communication
  3. Environmental Perception Authentication: Automatically adjust the authentication strength according to geographical location and device connection relationship

Summary: The "golden formula" of distributed authentication📝

Certification experience = (Simultaneous speed across devices × Security level) ÷ User operation cost

  • Core goal: Let trusted devices "pass through sensorlessly", suspicious devices "verify layer by layer"
  • Development points: Prioritize the use of distributed database synchronization status, and make good use of soft bus encryption channels

Top comments (0)