Since we have to at least talk to the server once in order to login in and authenticate the credentials, we can save a copy of the authentication information in a way that prevents it from being easily changed by the console. This means we don't have to perform any crypto on the client and can attempt to trust the data that we have stored. So now the problem changes a bit: