If  we have to at least talk allow ourselves one connection  to the server once in order to login in and authenticate the credentials, client,  we can authenticate the credentials and  save a copy of the authentication information in a way that prevents it from being easily changed by the console. This means we don't have to perform any crypto on the client and can attempt to trust the data that we have stored. So now the problem changes a bit: