Yosai v0.3 was released to PyPI.
Yosai is an Apache2-licensed security framework written in Python that provides industrial strength authentication, authorization, and session management from a common API. You can secure any kind of Python application with it.
- A complete second-factor authentication workflow using time-based one-time passwords
- Rate limiting / account locking
- Significant refactoring and optimizations
Second Factor Authentication
As of this release, Yosai features native support for Time-based One Time Passwords (TOTP), the prevailing standard for one-time password authentication.
Authenticating a user configured for TOTP authentication involves two steps:
- Username / Password Authentication
- One-time Password Authentication
An overview of second-factor authentication was added to Yosai’s authentication documentation.
I’ve created a complete tutorial to help you learn how to use TOTP in your project. The tutorial guides you through setup and workflow.
Rate Limiting / Account Locking
Yosai now allows developers to regulate account authentication for any particular user account by defining a number of maximum allowable authentication attempts. If a developer defines within yosai’s authentication settings an account_lock_threshold, defining a limit to the total allowable failed attempts during authentication, account locking is enabled.
Assuming account locking is enabled, the moment that the number of failed authentication attempts exceeds the maximum-allowable threshold, Yosai will lock the account, prohibiting subsequent authentication regardless of whether credentials match.
Refactoring and Optimizations
Refactoring is an iterative process that ought to be undertaken when the benefits of doing so are sufficient to justify the expenditure of effort required to perform it. In this case, the ends justified the means: Yosai v0.3 is leaner, meaner, and consequently a whole lot more pythonic than prior versions.
Yosai works with newer versions of python3, specifically py3.4 and newer.
Yosai v0.3 uses Passlib for cryptographic hashing and totp token generation. This was made possible by the latest Passlib 1.7 release. I’d like to thank its author, Eli, for his dedication to the project. To learn more about this project and the updates in 1.7, vist the passlib web site.
Release highlights: - Argon2 & Scrypt hash support - TOTP support - PBKDF2 now has faster builtin backend, and utilizes other backends where available - Lots of API cleanups and internal refactoring - HtpasswdFile reader is now more flexible, and with improved security options. - Refreshed documentation