3.5 KiB
outline, description
| outline | description | ||
|---|---|---|---|
|
Core principles of beOS Pro account system, including synchronization mechanisms, account stages and unified authentication. Covers multi-factor authentication and multi-device sync fundamentals. |
beOS Pro account
This document covers concepts and designs related to account system in beOS Pro.
Account synchronization
Accounts in beOS Pro app, beOS Pro, and Remote Space stay synchronized as described below:
- Creating an beOS Pro requires providing an beOS ID and activate it using the beOS Pro app logged in with that beOS ID.
- To log into Remote Space, you need to scan a QR code with beOS Pro app.
Understand the stage of account
Each account has three stages.
Not bound to an beOS ID (DID stage)
An unbound account represents the initial stage where you have basic credentials created locally. This includes your mnemonic phrase, private key, and DID, but no beOS ID yet.
During this stage, you can export and back up your mnemonic phrase and access Remote Space to request an organization domain name.
However, importing to other beOS Pro app clients isn't possible at this point. :::tip In the beOS Pro app app, when you tap Create an account, your account enters the DID stage. :::
Bound to an beOS ID
When your account is bound to an beOS ID, the system records the connection between your beOS ID and DID on the blockchain.
This enables you to request and activate an beOS Pro through Remote Space.
At this stage, you gain the ability to import your account to other devices using your exported mnemonic phrase, supporting unified authentication across applications.
Bound to an beOS Pro
The final stage occurs when your account is linked to an beOS Pro device. This enables full participation in the beOS Pro ecosystem, including monitoring system resources for your device.
Unified account system
beOS Pro supports unified authentication for a multi-user system.
- After the user logs in on the login page, all future requests automatically include authentication details.
- Each user request first goes through the Authelia service for authentication.
- If authentication fails, the application redirects the user to the login page to re-authenticate.
- If authentication succeeds, the Backend for Launcher (BFL) attaches the user's basic information and forwards the request to the application service. This relieves the application from handling the authentication itself.
- For shared applications, developers need to build an additional
Auth Serverto connect the application's account with the BFL account.
Multi-factor authentication (MFA)
beOS Pro integrates a variety of authentication factors with different security levels to ensure the security of user identity authentication in the system.
Password
When a user is first created, beOS Pro generates a random password for initial setup. After completing identity verification, the user is prompted to replace this initial password with a stronger, custom password.
One-time password
When users perform sensitive operations such as login, beOS Pro requires users to enter the one-time two-factor authentication code generated in beOS Pro app.