When a user wants to log into an application, they will provide their Hive username.
When the user hits the sign-in button, the App will send an authentication request to the HAS and ask the user to start their favorite Private Key Storage Application (PKSA), typically their favorite wallet application installed on their mobile (Hive Keychain for Mobile for example)
The user then opens their wallet and scans the QR code. Alternatively, if the application that the user wants to sign into is a mobile app, the latest can use deep linking and trigger the mobile device to install a wallet app or open it if already installed.
If the wallet stores the keys of the account that wants to log in, it will request approval or denial of the user's authentication request.
Wallet approval mockup
If the user approves the authentication request, the APP will be informed by the HAS that the user has successfully authenticated and that it can proceed with the user sign-in.
The APP has 100% certainty that the account exists and that whoever signs in owns the account's private keys.
Likewise, the user has explicitly identified and approved the application for further interaction.
At this moment, the application session and the users are now registered with the HAS and can communicate with each other through a secure encrypted channel.