User Authentication Security: "Three-Level Anti-Theft Door" from Password to Biometrics

Hello everyone!I am Xiao L, the female programmer who "builds a wall and builds a fortress" on the security battlefield of user authentication~ Recently, I studied the authentication mechanism of HarmonyOS Next and found that it is like installing a "triple anti-theft door" for the user's identity - password, biometrics, and multi-factor authentication to increase the code layer by layer.Today I will show you how Hongmeng made hackers "unable to pry the door" ~

1. "Foundation Engineering" for Authentication and Security: Encryption and Storage

(I) Data transmission: "Wear a bulletproof vest" for the password

SSL/TLS "Tunneling" When you enter your password, it will be "packaged and encrypted" first and then sent to the "SSL/TLS secure tunnel".Just like a courier delivers confidential documents, there are bodyguards escorting them all along the way. Even if they are robbed, the robbers cannot open the box with passwords~

// Pseudocode: Encrypted transmission password
async function Login (Account: string, password: string) {
const encryption password = await tls.encrypt(password); // Encrypt with TLS
const response = await fetch('https://api.login', {
           method: 'POST',
body: JSON.stringify({ Account, Password: Encryption Password })
       });
return await response.json();
   }

** Hashing salt: "Smashing" of password storage** What is stored in the database is not the password, but the "shredded paper" (hash value) of the password, and also the "seasoning" (salt value).For example, the password is "123456", the salt value is "!@#xyz", and the storage is "SHA-256(123456!@#xyz)" - even if the hacker gets shredded paper, he can't copy it back to the original image~

// Add salt hash example
const salt value = crypto.randomBytes(16).toString('hex'); // Random salt generation
const hash password = crypto.createHash('sha256')
.update(password + salt value)
       .digest('hex');

(II) Sensitive data storage: put into "underground vault"

TEE Trusted Execution Environment Fingerprints and face data exist in TEE, which is a hardware-level "underground vault" that cannot even enter the system core.It's like locking a diamond into a bank safe, only a specific program with a key can be opened~

// TEE storage logic (abstract description)
TEE.write('fingerprint_template', fingerprint data, {
       accessControl: {
allowApps: ['com.huawei.security'], // Only allow secure app access
denyRoot: true // prohibit root user from reading
       }
   });

Server-side "safe" The server database is encrypted with AES-256, and you need to access it through "triple access control": IP whitelist + database account password + dynamic token.Just like entering a bank vault, you have to scan your face + password + key card, and you can't do it.

2. Certification process: "combination punch" to pry the door when preventing thieves

(I) Prevent attacks from man-in-the-middle: "verify the correct person" for communication

Certificate Chain Verification After the client receives the server certificate, it will start to "check the family tree" from the root certificate: Is this certificate issued by an authoritative organization?Expired?Just like when a courier delivers goods, he first checks his ID card + work permit + letter of introduction, and only after the three certificates are complete can the door be opened~

// Certificate verification logic
function verification certificate (certificate: X509Certificate) {
const root certificate = trustStore.getRootCertificates();
return certificate.verifyChain(root certificate); // Check whether the certificate chain is trustworthy
   }

ECDH key exchange The client and the server use the elliptic curve algorithm "air-to-air code", each generating public/private keys and negotiated a shared key.Even if a hacker monitors the conversation, he can only hear "Mars text" and cannot calculate the correct secret code.

// Key exchange simplifies the process
Client generation (public key A, private key A) → Send public key A to the server
Server generation (public key B, private key B) → Send public key B to client
Client calculates shared key = private key A + public key B
Server calculates shared key = private key B + public key A
// The shared keys of the two are consistent, and hackers cannot deduce

(2) Multi-factor certification: "Three-fold door lock" prevents breakthroughs

Password + Fingerprint: "Key + Fingerprint Lock" combination Enter your password (you know) + fingerprint verification (you have), double insurance.Just like opening a house door, insert the key and turn it around, then press the fingerprint, and you can't get in even less than a step.

// Multi-factor authentication logic
async function Multi-factor login (account: string, password: string, fingerprint: string) {
// Step 1: Verify password
const password is correct = await verification hash (account, password);
if (!The password is correct) return false;

// Step 2: Verify fingerprints (compare in TEE)
const fingerprint matching = await TEE.verify('fingerprint_template', fingerprint);
return fingerprint matching;
   }

Dynamic Token: "One-time key" to prevent reuse When transferring money by bank, in addition to password + fingerprint, you also need to enter the SMS verification code (a dynamic token that changes once a minute).Just like the vault password in the movie, it is automatically changed every minute, and it is useless to steal it~

// Dynamic token generation (example)
function generates dynamic token(secretKey: string) {
const timestamp = Math.floor(Date.now() / 60000); // One cycle per minute
const hash = crypto.createHmac('sha1', secretKey)
.update(timestamp.toString())
           .digest('base64');
return hash.slice(0, 6); // Take the first 6 digits as tokens
   }

3. Future Challenge: When hackers learn to "wall-walking"

(I) "Occurrence and Defense War" of Emerging Technologies

AI forged biometrics
Hackers use Deepfake to generate fake faces?Hongmeng may introduce "live detection": blinking, nodding, and reading random numbers, all of which are indispensable.Just like customs security check, you not only look at your face, but also move to prevent the dummy from getting away from it~
Quantum computing cracking encryption
Can a quantum computer decipher RSA?Hongmeng has been studying "anti-quantum encryption algorithms", such as Shor algorithm-resistant Lattice Cryptography.Just like upgrading the door lock to a "quantum lock", both ordinary keys and quantum keys cannot be opened, only a dedicated "quantum-resistant key" can be opened~

(II) Privacy protection: "Mosaic" the data

Federal Learning Certification The biometric data does not come out of the device, and the model is trained locally using federated learning.Just like a doctor's remote consultation, it only transmits disease data, not patient privacy information~

// Federal Learning Certification Process
Device acquisition fingerprint → locally generated feature vector → encryption upload to server
The server uses a global model to compare → Return the result of "match/mism" (no specific data returned)

Zero Knowledge Proof The user proves that he knows the password, but does not disclose the password itself.Just like when you say to the guard, "I know the secret code to open the door", you don't have to say the secret code. The guard tests you for a question, and if you answer correctly, you will let it go~

// Zero-knowledge proof simplifies logic
async function proves that I know the password (challenge: string) {
const response = crypto.hash(challenge + password); // Use password to handle challenges
return response;
   }
// Server generation challenge, compare whether the response is correct, no need to know the password

4. Developer practice: Create a "copper wall" certification system

(I) Password Strategy: The "combination punch" that drives hackers crazy

Forced password complexity: 8 digits or above + uppercase and uppercase + digits + symbols, such as "Huawei_2025!"
Regular password change: Forced to change every 90 days to prevent long-term valid passwords from being cracked
Real-time password strength detection: When entering, prompt "weak/medium/strong", guiding users to set up strong passwords

(II) Biometrics: "Balance of Security and Experience"

Use TEE to store templates, prohibiting applications from directly accessing original data
Number of failures limit: 5 consecutive fingerprint errors, lock for 1 minute and notify the user
In combination with device security status: Biometrics are allowed only when the device is not rooted or jailbroken

(3) Multi-factor authentication: "Safety Level" configured on demand

Normal scene: password + fingerprint (such as social APP)
High-risk scenarios: password + fingerprint + dynamic token (such as online banking)
Enterprise scenario: Password + hardware token + IP whitelist (such as internal system)

Last chat

User authentication security is like a "cat and mouse game". Hackers continue to upgrade the "door prying tool", so we have to continuously strengthen the "proof-theft door".HarmonyOS Next's certification system has both the robustness of "traditional locks" (encrypted storage, multi-factor authentication) and the innovation of "smart locks" (TEE, federated learning).Next time I will tell you how to use Hongmeng’s distributed capabilities to do “cross-device authentication”, such as scanning the code on your mobile phone to log in to the tablet, and you don’t need to enter your password throughout the process - remember to follow!😉

(Please indicate the source and original author Xiao L when reprinting. Violators... Let your authentication interface enter the verification code three more times a day! Just kidding~)