Why Rodauth?

Rodauth is Ruby's most advanced authentication framework. There are other authentication frameworks for Ruby, such as Devise, Authlogic, and Sorcery, but all of them are Rails-specific. Rodauth offers many advantages over competing frameworks:

Goals

Security

Rodauth ships in a maximum security by default configuration. The default and recommended way to use Rodauth is with multiple database accounts and using database functions for authentication, in order to protect access to password hashes from attackers. Even if you are storing nothing else important in your application, if you are storing password hashes, it is critical that you protect access to them as much as possible, so that an attacker will not be able to use the password hashes stored in your database to attack other sites. However, if you are not able to use this more secure mode, Rodauth also supports more typical methods of password storage.

Rodauth ships with support for multiple multifactor authentication methods including WebAuthn and TOTP, protecting your site from password hash attacks on other sites.

Rodauth ships with support for multiple passwordless authentication methods, allowing users to login without having passwords at all.

For tokens stored in the database (e.g. for resetting passwords), Rodauth can use an HMAC such that an SQL injection vulnerability in the application to leak the tokens will result in unusable tokens unless the application's HMAC secret is also compromised.

Simplicity

Rodauth uses a simple configuration DSL that allows easily constructing a custom authentication object designed for your application.

Flexibility

Rodauth allows for overriding any part of the framework on a per-request basis using any information related to the request, by passing a block to any configuration method.

Full Featured

Rodauth ships with support for a large amount of authentication features, such as:

You can learn more about these features by reviewing Rodauth's documentation.