MIUI 13 Security White Paper - Xiaomi

5.1 Mi Account

Mi Account is an account used to identify Xiaomi users, and it allows users to access Xiaomi products and services like Xiaomi Cloud, Mi Pay, MiStore, Mi Home, Mi Community, Mi Music, and more. Users can also purchase Mi coins through their Mi Account to use Xiaomi's various virtual products and value-added services (e.g. games, e-books).

Xiaomi takes the privacy of your personal information very seriously and employs the following industry-standard practices to safeguard your Mi Account.

5.1.1 Account Security Setting

When creating an account or resetting passwords, users need to set strong passwords containing 8-16 characters, which include numbers, letters, and special characters. After successfully signing in, users can add a secure recovery phone number or email to their Mi Account, and enable the cross-device authentication feature. These security authentication methods will be used to verify users' identities when they change their account information or reset passwords.

5.1.2 Login Protection

Mi Account uses intelligent risk control services to protect user login credentials and effectively reduce the risk of unauthorized logins and identity theft.

The risk is addressed by detecting the user's login environment and operating methods when signing in. If login attempts with a password, SMS or other authentication method fail on multiple tries, the Mi Account adopts several interactive verification methods to further identify malicious attacks. These include, among others, image verification codes, sliding codes, or CAPTCHA codes. When an abnormal login is identified, the Mi Account will require users to perform further authentication via the secure phone number or secure email associated with the account. If authentication still fails, the user is restricted in terms of the services it is allowed to access according to the risk level. When a serious login risk is identified, the account will be frozen and forced to log out of all current logins, while the current password cannot be used or reused.

Abnormal logins defined by the intelligent risk control service include:

  • Logins to Mi Account in untrusted environment.

  • Viewing of private data (e.g., using web pages to view any photos, messages, contacts, etc. stored in Xiaomi Cloud).

  • Modifications of the settings in "Account Security" (e.g., changing the secure recovery phone or email).

Authentication methods include but are not limited to cross-device authentication, text message authentication, and email authentication.

When the user's behaviour of an account changes (e.g. change password, sign in on a new device, etc.), if it is determined as an abnormal risk, Xiaomi will send an e-mail and messages to notify the user, prompting the user to change the password immediately.

In addition, on an MIUI mobile phone, only the applications authorized by Xiaomi can log in with the Mi Account of the mobile phone system.

5.1.3 Data Security

Xiaomi encrypts the personal information that user entered during creating an account, including:

Personal InformationEncryption Method
- Mobilephone Numbers
- E-mail Addresses
- Account IDs
AES-128
- Login PasswordAES-128, Salted Hash

A random number generator is used to generate a character string (random salt) and attach it to the login password. Once the cryptographic hash function (hash) generates a hash value, the AES-128 algorithm is used for encryption. The random salt of each user is different, even if two users use the same password, the final hash value is different.

Figure 5-1-1

When the user creates an account or signs in, the account-related information is transmitted to the server over an HTTPS-encrypted channel. The user's personal information is encrypted and stored in a dedicated database with multiple backup copies. The security protection level of the backup data equals that of online data. Xiaomi performs role-based multi-level access control for user data and accepts the corresponding security audits.

User data encryption and decryption keys are uniformly managed by the Key Center. Key Center is the key management platform independently developed by Xiaomi and is operated and maintained by an independent team in order to separate business, data, and key management responsibilities. Role-based access control ensures that no one obtains all of the permissions required to decrypt user data. In addition, the servers and databases that store user data have deployed real-time monitoring mechanisms to alert and block any abnormal access.

To ensure the security of the key stored in the Key Center, keys are encrypted by a 4096-bit Root Key. The Root Key is generated by a hardware-based encryption device.

Figure 5-1-2

5.1.4 Other Account Login Methods

1) QR code scanning login

Mi Account provides QR code scanning login functions. Users can scan the QR code on the web page to log in to their Mi account. The QR code will be automatically invalidated after a certain period, requiring the user to refresh the QR code web page.

2) Verification code entering login

Mi Account provides verification code entering login functions. Users can enter the verification code from TVs on their phones or computers to log in to their Mi Account. The code will be automatically invalidated after a certain period, requiring the user to refresh the TV login page.

3) Third-party authorization login

Mi Account supports authorization for linking third-party accounts, which means users can log into their Mi Account using a third-party account. Currently, users can log into their Apple, Facebook, and Google accounts to connect to their Mi Accounts. Mi Account uses OAuth2.0 (an open authorization protocol), which follows the standard OAuth2.0 protocol and process to authorize third-party account logins. The secure mechanism of OAuth2.0 ensures that Mi Account information will not be transmitted to such third parties.