We’re proudly announcing Hanko v1 today. After 2 years in beta, the most flexible and open authentication solution on the market is now generally available and ready to power the login of your next app.
The core of the v1 release is a completely new API: The Flow API. Taking the complexity out of the frontend and allowing you to elegantly build your authentication UI — while making Hanko future proof. Additionally, Hanko now has proper multi-factor authentication (MFA), enterprise SSO, and server-side sessions.
Learn more about the Flow API here.
Hanko now has full TOTP authenticator app as well as FIDO security key support. As a bonus feature, we added the option for MFA enrollment during registration and login flows, allowing admins to easily enforce MFA adoption among their user base if required. MFA is available to all plans at no extra cost.
As the de facto standard for 2FA, the most obvious benefit of Time-based One-Time Passcodes (TOTP) is their universality. Users can choose from a myriad of authentication apps such as Google Authenticator, Microsoft Authenticator and many more to generate the one-time codes — no special hardware required.
We just had to support security keys as second factors due to their unmatched security benefits. No other MFA method can protect users as reliably against phishing and most other known account takeover attacks.
Hanko now supports connections to external SAML identity providers (IdPs). That means the Hanko login can be configured to redirect email addresses of certain domains to their connected SAML IdPs. This is useful for Hanko deployments targeting B2B scenarios where customers request the ability for their employees to sign in with their company-managed single sign-on (SSO) service such as Okta, Onelogin, Keycloak, and others.
With a new setting located in the Session menu in Hanko Cloud, server-side sessions can be enabled or disabled. Alongside this setting, we've added a /sessions endpoint to the public API. If server-side sessions are enabled (the default for new projects), sessions are stored in the DB, displayed on the user's profile, and can be revoked by the user. To be able to use the advantages of server-side sessions, it is necessary to always validate JWTs via the new /sessions endpoint.
A sessions list has been added to the <hanko-profile> element. There, users can monitor their sessions and revoke them remotely. The session data displayed includes the operating system and browser used (retrieved from the user agent string), the IP address, and the date on which the session was last active.
Admins can now control how many active session are allowed per user. This can be relevant in certain use cases, e.g. if only a single session should be permitted.
We have big plans for Hanko — to make your experience when building and running your apps even better. Here are a few highlights: