When a user starts an application (App) that wants to interact with the Hive blockchain, the first thing it needs to do is to authenticate the user.

Usually, this is done by entering a username and password and matching it against similar data stored somewhere.

Hive Authentications Services enables applications to authenticate their users by simply providing a username, relieving the applications from storing additional credentials data.

It does so by using any third-party Private Key Storage Application (PKSA) to act as a Two-Factor Authentication (2FA) provider.

The users only need to trust one PKSA, where they safely store their private keys. They now more will be required to provide them to any HAS enabled application. Likewise, they are guaranteed that their keys will never leave the PKSA.

Before being able to receive and process any request for an account from the HAS, the PKSA must prove to the HAS that it stores the user's private keys.

Once an account has been registered by a PKSA, the HAS will know it can safely send transactions requests from that account to the PKSA.

A PKSA should wait to get an off-band auth_req_payload before registering an account it manages, mainly because it may not know which HAS server it needs to connect to.