This update adds options to allow users to skip 2FA on trusted devices, a “Stay signed in” checkbox, "Last used" labels on social SSO buttons, and improvements to the Admin API.
A new device trust feature offers users the option of not having to perform 2FA again for a certain period of time after successful 2FA. Administrators can determine whether device trust should be established automatically, or whether the user should be asked whether they trust the device, or whether trusted devices should never be allowed and 2FA should always be enforced.
This new option can be used to control whether a persistent cookie or a session cookie should be issued when the user is logging in. Persistent cookies (default) remain valid for the set session duration, i.e. the user remains logged in even if the browser is closed. Session cookies are usually deleted when the browser or browser tab is closed, so users have to log in again the next time they visit the app. A third option adds a “Stay signed in” checkbox to the login screen, which allows the user to determine the type of cookie themselves.
Social SSO buttons (e.g., "Sign in with Google") now display a "Last used" label to help users remember which provider they chose on their last visit and avoid creating redundant accounts. Note that active Account Linking still allows users to change the login method to some extent, but only if the email address matches.
The Admin API has been extended with the following new endpoints:
User import functionality has been improved. Now, more user data and credentials can be imported, e.g.:
This release contains Multi-Factor Authentication (MFA) capabilities for Hanko backend and Hanko Elements.
Hanko has been optimized for WebAuthn and passkey authentication from the very beginning. However, the additional implementation of other, potentially weaker authentication methods such as passwords and email passcodes meant that we also had to add MFA (or 2FA). And here it is: TOTP authenticator apps as well as FIDO security key support.
As a bonus feature, we added the option for MFA enrollment during registration and login flows, allowing admins to easily enforce MFA adoption among their user base if required.
As the de facto standard for 2FA, the most obvious benefit of Time-based One-Time Passcodes (TOTP) is their universality. Users can choose from a myriad of authentication apps such as Google Authenticator, Microsoft Authenticator and many more to generate the one-time codes – no special hardware required.
We just had to support security keys as second factors due to their unmatched security benefits. No other MFA method can protect users as reliably against phishing and most other known account takeover attacks.
Hanko 1.1 is here, introducing optional server-side sessions as an alternative to the previous approach of just issuing JWTs, together with a bunch of small improvements and bug fixes.
With a new setting located in the Session menu in Hanko Cloud, server-side sessions can be enabled or disabled. Alongside this setting, we've added a /sessions
endpoint to the public API.
If server-side sessions are enabled (the default for new projects), sessions are stored in the DB, displayed on the user's profile, and can be revoked by the user. Note: To be able to use the advantages of server-side sessions, it is necessary to always validate JWTs via the new /sessions
endpoint.
A sessions list has been added to the <hanko-profile>
element. Here, users can monitor their sessions and revoke them remotely. The session data displayed includes the operating system and browser used (retrieved from the user agent string), the IP address, and a the date on which the session was last active.
Admins can now control how many active session are allowed per user. This can be relevant in certain use cases, e.g. if only a single session should be permitted.
We are excited to release Hanko 1.0 today. After two years in Beta, Hanko 1.0 is more user friendly, more customizable and more mature than any previous release in almost all areas, which is now represented by the 1.0 version number.
<hanko-login>
and <hanko-registration>
that can be placed on separate pages, e.g. /login and /registration<hanko-auth>
element is still available, allowing users to toggle between login and registration on the same pageThis version contains a new API, which we call Flow API (#1532). With the previous RESTful API of the Hanko backend, it had become very complex to extend the functionality of Hanko. This was mainly due to the fact that most of the state handling was done in Hanko Elements and each endpoint had to be called in a specific order to work properly. The Flow API takes over this complexity completely in the backend and thus enables us to further develop the Hanko system at a higher speed than ever before.
When migrating your application to the new Hanko 1.0 Elements, be aware of the following changes:
onAuthFlowCompleted
events have been removed (use onSessionCreated
instead)onSessionCreated
contains the session JWT, but not the user ID anymoreFor the self-hosting migration guide see the release notes on GitHub.
Send your own passcode emails with Hanko's new custom email sending feature. Custom email sending allows you to have full control over emails sent to your users. Simply subscribe to the new email webhook and build your own emails. See the custom email docs here.
We've added support for Sign in with Microsoft and Discord to Hanko Cloud. Hanko Cloud admins can find both under the Identity providers section in the project's settings.
Once enabled, the respective "Sign in with..." buttons will be displayed for all users on your <hanko-auth> sign in and sign up page.
Sign in with Microsoft supports both personal and work accounts (e.g. Office 365 or Azure AD / Entra accounts). This feature took a good amount of work and was stalled for a few months because we stumbled upon the "nOAuth" security vulnerability (basically by accident) and had to find a way around it. To make sure your Hanko project is protected when using Sign in with Microsoft, please follow the steps highlighted in the Hanko Docs for the Microsoft identity provider.
We have updated Hanko Cloud with the following changes:
All Hanko Cloud projects have been updated to v0.10.1.
Check out the new features by signing in to your Hanko Cloud account.
We've added Sign in with Google and GitHub options to the Hanko Cloud Console login.
We have updated Hanko Cloud with the following changes:
All Hanko Cloud projects have been updated to v0.10.
Check out the new features by signing in to your Hanko Cloud account.
We have updated Hanko Cloud with the following changes:
New Hanko Cloud projects will use the latest Hanko v0.9.0. All existing projects are still on Hanko v0.8.4 but will be updated soon.
Check out the new features by signing in to your Hanko Cloud account.
Stay up-to-date with the latest releases, new features, and bug fixes.