Similar to Account Registration, Account Authentication involves 2 steps:
- Authenticate the Locker account
- Authenticate the Master Password
Authenticate the Locker Account
Use Email and Account Password
When a user enters an Email and Account Password, the Email and the Account Password hash generated by the Password-based Key Derivation Function 2 algorithm will be compared with their corresponding values stored in the database. If the two pairs match, the user account is successfully authenticated; otherwise, the login attempt is invalid.
Use OAuth
The OAuth authentication process takes place entirely at the service providers such as Facebook, Google, GitHub, and Apple. Locker only uses the results from these parties to confirm the user’s authentication.
Authenticate the Master Password
Only after the user has been successfully authenticated will the Master Password authentication be allowed to take place. This process is described in detail in the diagram below, with the main idea as follows:
- Calculate the value of Generated Master Password Hash (h1) by using Password-based Key Derivation Function 2 with 100,001 iterations on the Client and 216,000 iterations on the Servers.
- Get the Stored Master Password Hash (h2) value stored in the database since Account Registration.
- Compare h1 and h2. If these two values match, the Master Password is correct. Otherwise, it is not.