This release contains Multi-Factor Authentication (MFA) capabilities for Hanko backend and Hanko Elements.

Hanko has been optimized for WebAuthn and passkey authentication from the very beginning. However, the additional implementation of other, potentially weaker authentication methods such as passwords and email passcodes meant that we also had to add MFA (or 2FA). And here it is: TOTP authenticator apps as well as FIDO security key support.

As a bonus feature, we added the option for MFA enrollment during registration and login flows, allowing admins to easily enforce MFA adoption among their user base if required.

TOTP authenticator apps

As the de facto standard for 2FA, the most obvious benefit of Time-based One-Time Passcodes (TOTP) is their universality. Users can choose from a myriad of authentication apps such as Google Authenticator, Microsoft Authenticator and many more to generate the one-time codes – no special hardware required.

Security keys

We just had to support security keys as second factors due to their unmatched security benefits. No other MFA method can protect users as reliably against phishing and most other known account takeover attacks.

Hanko 1.1 is here, introducing optional server-side sessions as an alternative to the previous approach of just issuing JWTs, together with a bunch of small improvements and bug fixes.

Server-side sessions

With a new setting located in the Session menu in Hanko Cloud, server-side sessions can be enabled or disabled. Alongside this setting, we've added a /sessions endpoint to the public API.

If server-side sessions are enabled (the default for new projects), sessions are stored in the DB, displayed on the user's profile, and can be revoked by the user. Note: To be able to use the advantages of server-side sessions, it is necessary to always validate JWTs via the new /sessions endpoint.

Active sessions list and revocation

A sessions list has been added to the <hanko-profile> element. Here, users can monitor their sessions and revoke them remotely. The session data displayed includes the operating system and browser used (retrieved from the user agent string), the IP address, and a the date on which the session was last active.

Session limit

Admins can now control how many active session are allowed per user. This can be relevant in certain use cases, e.g. if only a single session should be permitted.

We are excited to release Hanko 1.0 today. After two years in Beta, Hanko 1.0 is more user friendly, more customizable and more mature than any previous release in almost all areas, which is now represented by the 1.0 version number.

Highlights

Options, options, options

• Identifiers and auth methods can be enabled individually and freely combined, no more implicit settings
• Optional passwords that can be deleted by the user, i.e. give users the choice to select a password or a passkey as their preferred authentication method
• Smooth migration of existing users, e.g. transition from a password-based system to passkeys, without overburdening all users at once

Usernames

• Usernames are now supported as identifiers, in addition to email addresses
• Emails and usernames can also be used simultaneously

Privacy

• Configurations that use the email identifier and require email verification now effectively prevent email enumeration, enabling a fully privacy-preserving implementation of login and registration
• A setting to disable "privacy mode" for situations where explicit feedback to the user is preferred (e.g. "An account using this email address already exists.") is planned for a future release

Dedicated login and registration flows

• Login and registration flows have been separated to present only relevant actions to the user, e.g. "Sign in with a passkey" makes no sense for a user who wants to register a new account
• Introducing new elements <hanko-login> and <hanko-registration> that can be placed on separate pages, e.g. /login and /registration
• Combined <hanko-auth> element is still available, allowing users to toggle between login and registration on the same page

Introducing the all-new Flow API

This version contains a new API, which we call Flow API (#1532). With the previous RESTful API of the Hanko backend, it had become very complex to extend the functionality of Hanko. This was mainly due to the fact that most of the state handling was done in Hanko Elements and each endpoint had to be called in a specific order to work properly. The Flow API takes over this complexity completely in the backend and thus enables us to further develop the Hanko system at a higher speed than ever before.

• This 1.0 release includes the Flow API as well as the completely redesigned Hanko Elements to match the Flow API
• Flow API consists of three new endpoints: /registration, /login, and /profile
• A number of new email templates have been introduced to provide better context for users
• Old API endpoints handling login and registration will be deprecated, but will continue to work for the foreseeable future to allow a smooth transition to the Flow API
• A frontend SDK and documentation for the creation of custom frontends for the Flow API will follow shortly

Migration

When migrating your application to the new Hanko 1.0 Elements, be aware of the following changes: 

• onAuthFlowCompleted events have been removed (use onSessionCreated instead)
• onSessionCreated contains the session JWT, but not the user ID anymore

For the self-hosting migration guide see the release notes on GitHub.

Send your own passcode emails with Hanko's new custom email sending feature. Custom email sending allows you to have full control over emails sent to your users. Simply subscribe to the new email webhook and build your own emails. See the custom email docs here.

New features:

• Added the email.send webhook (Project settings > Webhooks)
• New setting to disable email delivery by Hanko (Project settings > Emails)

We've added support for Sign in with Microsoft and Discord to Hanko Cloud. Hanko Cloud admins can find both under the Identity providers section in the project's settings.

Once enabled, the respective "Sign in with..." buttons will be displayed for all users on your <hanko-auth> sign in and sign up page.

Sign in with Microsoft supports both personal and work accounts (e.g. Office 365 or Azure AD / Entra accounts). This feature took a good amount of work and was stalled for a few months because we stumbled upon the "nOAuth" security vulnerability (basically by accident) and had to find a way around it. To make sure your Hanko project is protected when using Sign in with Microsoft, please follow the steps highlighted in the Hanko Docs for the Microsoft identity provider.

Other changes:

• Automatic account linking can now be toggled for each individual identity provider
• Third-party sign-ups are now correctly displayed in the project dashboard statistics

We have updated Hanko Cloud with the following changes:

• Webhooks: You can now create webhooks for your Hanko projects. Events to subscribe to are currently limited to user data, e.g. when a new user has been created or the primary email address was changed. More event types will be introduced in future releases.
• Automatic project reactivation: Projects that are in the free tier will be paused after 7 days of inactivity to preserve cloud resources. We wanted to make this as unobtrusive as possible, so we've added a respawner service to our production cluster that reactivates paused projects on the first request. Manual project reactivation on the Hanko Cloud Console dashboard can still be done, but should not be required anymore for your apps to not show an error when loading Hanko Elements anymore. Automatic project reactivation will only be active for new projects from today, but we'll update all projects gradually over the coming weeks.

‍

All Hanko Cloud projects have been updated to v0.10.1.

Check out the new features by signing in to your Hanko Cloud account.

We've added Sign in with Google and GitHub options to the Hanko Cloud Console login.

We have updated Hanko Cloud with the following changes:

• Automatic account linking: Account linking is now activated by default for identity provider connections. This allows for existing accounts to be accessed with 3rd-party connections like Sign in with Google when using the same email address, and vice versa.
• ‍Improved passkey naming suggestions: When a new passkey is created, the original passkey name displayed in the list of passkeys in the user profile is generated by Hanko Backend. Previously, all passkey names looked like "Passkeys-ABCDE", where "ABCDE" was the last characters of the random credential ID. From now on, the passkey names are based on the available information about the authenticator used to create the passkey, e.g. "iCloud Keychain", "Windows Hello" or "1Password", which improves the usability of the passkey list in the user profile.

‍

All Hanko Cloud projects have been updated to v0.10.

Check out the new features by signing in to your Hanko Cloud account.

We have updated Hanko Cloud with the following changes:

• Subdomain support: Under project Settings > Advanced is now a new option to configure multiple origins for your Hanko project. Passkeys are always bound to a specific domain, that's how they are so effective against phishing attacks. But that means that you have to define to which domain you want to bind the passkeys for your users. Typically, that's the App URL where your app is hosted and where you integrate Hanko Elements web components. But in certain scenarios, you may want to host your app under, e.g., y.z.com, but want to bind your user's passkeys to, z.com. That means you'll be able to make the same passkeys usable on z.com and all its subdomains. For this to work you have to set your App URL to z.com and add all subdomains you want to support to the origin list. You can always add more subdomains and all existing passkeys will work there as well.
• Links to guides fixed: Links to the integration guides on the project dashboard had changed due to our docs being migrated to Mintlify. The linked guides now point to the correct locations in https://docs.hanko.io again.

‍

New Hanko Cloud projects will use the latest Hanko v0.9.0. All existing projects are still on Hanko v0.8.4 but will be updated soon.

Check out the new features by signing in to your Hanko Cloud account.

We have updated Hanko Cloud with the following changes:

• Self-service account creation can now be disabled under Settings > Allow Sign up. This gives you the ability to make your app invite-only. Please note that admin-initiated user creation is currently possible via the admin API and will be available in Hanko Cloud Console soon.

‍

All Hanko Cloud projects have been updated to use the latest Hanko v0.8.3.

Check out the new features by signing in to your Hanko Cloud account.