An authentication server that can be used by off-the-shelf and custom software without having to reinvent the wheel. In other words, don't write your own authentication solution (you'll probably get it wrong).

This project is currently under heavy development. A stable release is forthcoming. Watch this space.

• Standards-compliant management of passwords and sessions

  • Conforms to NIST 800-63B
  • Support for Authenticator Assurance Levels:
    • AAL1: Basic authentication (most common)
    • AAL2: At least two factors of authentication
    • AAL3: Mandatory multi-factor with hardware devices
  • Secrets are safe even if someone has access to the database
  • Passwords are hashed with PBKDF2 (HMAC + SHA-3 512)
  • Automatic password re-hashing as needed
  • Unicode passwords are normalized (NFKC) then stored as UTF-8
  • Upgrade legacy password databases (bcrypt) during login
  • Support for hardware key storage (HSM) via PKCS#11

• Protects personally identifiable information (PII)

  • Encrypted email addresses
  • Salted and hashed email addresses for deterministic lookup

• Attack counter measures:

  • Real-time brute force detection
  • Slow attack responses without affecting real users

• Auditing

  • Complete event log of all actions taken
  • Statistics transmitted to a time series database

• Acts as a remote authentication provider:

  • OpenID Connect (OAuth2 + authentication)
  • Sessions with JSON Web Tokens

• Authenticate with external providers:

  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)
  • Lightweight Directory Access Protocol (LDAP)
  • Pluggable Authentication Modules (PAM)

• Private certificate authority

  • Auto-generated server TLS certificates for intranet use
  • Issue certificates on a Unix domain socket (UDS)
  • Authenticate intranet clients via issued certificates

• User interface:

  • Customize the UI so it matches your brand
  • Users can change and reset passwords
  • Administrator interface

• Open and Free:

  • Open source, released under the Apache License.
  • Free, even for commercial use
  • Commercial support available

• Secure by default.

  You shouldn't have to be a security expert to install or use Sthenauth. As much as possible we try to make it impossible to install or configure Sthenauth in a way that would make it insecure.

Sthenauth takes its name from the gorgon Stheno, the immortal sister of Medusa. The face of a gorgon was used in Ancient Greece as a way to ward off evil.