Hanko v1 is here

Modern as Clerk.

Open source like Keycloak.

Faster and more customizable than any other.

‍

We’re proudly announcing Hanko v1 today. After 2 years in beta, the most flexible and open authentication solution on the market is now generally available and ready to power the login of your next app.

The core of the v1 release is a completely new API: The Flow API. Taking the complexity out of the frontend and allowing you to elegantly build your authentication UI — while making Hanko future proof. Additionally, Hanko now has proper multi-factor authentication (MFA), enterprise SSO, and server-side sessions.

‍

Flow API: The most flexible authentication API on the market

• Identifiers and authentication methods can be enabled individually and freely combined, no more implicit settings

• Passwords can now be optional, mandatory, or off. Optional passwords can be deleted by the user, i.e. giving users the choice to select a password or a passkey as their preferred authentication method

• Smooth migration of existing users, e.g. transition from a password-based system to passkeys, without overburdening all users at once, by prompting existing users to create a passkey when signing in

• Usernames are now supported as identifiers, in addition to email addresses

• Configurations that use the email identifier and require email verification now effectively prevent email enumeration, enabling a fully privacy-preserving implementation of login and registration

Learn more about the Flow API here.

‍

Multi-Factor Authentication (MFA)

Hanko now has full TOTP authenticator app as well as FIDO security key support. As a bonus feature, we added the option for MFA enrollment during registration and login flows, allowing admins to easily enforce MFA adoption among their user base if required. MFA is available to all plans at no extra cost.

TOTP authenticator apps

As the de facto standard for 2FA, the most obvious benefit of Time-based One-Time Passcodes (TOTP) is their universality. Users can choose from a myriad of authentication apps such as Google Authenticator, Microsoft Authenticator and many more to generate the one-time codes — no special hardware required.

Security keys

We just had to support security keys as second factors due to their unmatched security benefits. No other MFA method can protect users as reliably against phishing and most other known account takeover attacks.

‍

Enterprise Single Sign-On (SSO)

Hanko now supports connections to external SAML identity providers (IdPs). That means the Hanko login can be configured to redirect email addresses of certain domains to their connected SAML IdPs. This is useful for Hanko deployments targeting B2B scenarios where customers request the ability for their employees to sign in with their company-managed single sign-on (SSO) service such as Okta, Onelogin, Keycloak, and others.

‍

Server-side sessions

With a new setting located in the Session menu in Hanko Cloud, server-side sessions can be enabled or disabled. Alongside this setting, we've added a /sessions endpoint to the public API. If server-side sessions are enabled (the default for new projects), sessions are stored in the DB, displayed on the user's profile, and can be revoked by the user. To be able to use the advantages of server-side sessions, it is necessary to always validate JWTs via the new /sessions endpoint.

Active sessions list and revocation

A sessions list has been added to the <hanko-profile> element. There, users can monitor their sessions and revoke them remotely. The session data displayed includes the operating system and browser used (retrieved from the user agent string), the IP address, and the date on which the session was last active.

Session limit

Admins can now control how many active session are allowed per user. This can be relevant in certain use cases, e.g. if only a single session should be permitted.

More upcoming features

We have big plans for Hanko — to make your experience when building and running your apps even better. Here are a few highlights:

This week:

• Custom domains, free for all plans

• Device trust: Allow users to skip MFA on trusted devices

• Last used indicator for social logins

• Custom OAuth providers

In the next months:

• Full data export & import: Seamless migration between Hanko Cloud and self-hosted — anytime, on your terms

• New user menu component to make the initial setup even more effortless

• All-new <hanko-profile> layout and design

• And much more: See our roadmap

‍