Client and server are often asymmetric regarding security credential management. Since in most cases there are many clients and a few servers, server credentials are distributed and managed with relatively low cost, but client credentials are apparently not. As most mobile services increasingly communicate security and privacy sensitive data, industry need to provide secure channel in client-server model using secure yet cost-effective methods addressing such asymmetric security requirements. Passwords could be effective in terms of client credential management, and the guidelines such as Rec. ITU-T X.1151 are available for password-authenticated key exchange protocols. When client credentials are compromised, however, the adversary could impersonate not only client sides but also service providers. Such server impersonation attacks could be mitigated by using public key techniques for server authentication with low credential management cost. Recommendation ITU-T X.hakm provides guidelines for hybrid authentication and key exchange mechanisms in client-server model. The underlying mechanism suggests to use shared secrets and public key techniques for authentication and key exchange. Recommendation X.hakm covers service scenarios, and security threats and methods to mitigate such attacks.