# Authentication

When a user starts an application (**App**) that wants to interact with the Hive blockchain, the first thing it needs to do is to authenticate the user.

Usually, this is done by entering a username and password and matching it against similar data stored somewhere.

Hive Authentications Services enables applications to authenticate their users by simply providing a username, relieving the applications from storing additional credentials data.

It does so by using any third-party Private Key Storage Application (**PKSA**) to act as a Two-Factor Authentication (2FA) provider.

The users only need to trust one **PKSA**, where they safely store their private keys. They now more will be required to provide them to any **HAS** enabled application. Likewise, they are guaranteed that their keys will never leave the **PKSA**.

Before being able to receive and process any request for an account from the **HAS**, the **PKSA** must prove to the **HAS** that it stores the user's private keys.

Once an account has been registered by a **PKSA**, the **HAS** will know it can safely send transactions requests from that account to the **PKSA**.

A **PKSA** should wait to get an off-band `auth_req_payload` before registering an account it manages, mainly because it may not know which **HAS** server it needs to connect to.