This release brings several security, reliability, and usability improvements across Hanko’s authentication stack. It includes stronger passcode options, better key management integration, more robust auth flows in Hanko Elements, improved device trust handling, and expanded localization support:
Alphanumeric passcodes
In addition to numeric passcodes, Hanko now supports optional alphanumeric passcodes. This increases entropy and makes passcode-based authentication more resilient against brute-force and guessing attacks.
External key providers (AWS KMS)
Hanko’s token signing engine can now be configured to use external HSMs and Key Management Systems, currently only AWS KMS is supported. This allows teams with higher security requirements to keep signing keys fully managed outside of Hanko.
Security notifications
Hanko now optionally sends email notifications for security-relevant actions (enabled by default), for example when a new passkey is added to an account. These notifications help users detect suspicious activity early and improve overall account security.
PKCE by default in Hanko Elements
Hanko Elements now uses PKCE-based flows by default. This resolves several issues with third-party integrations, especially in setups where the backend is not running on the same domain as the frontend.
Multi-user device trust support
Device trust cookies are no longer overwritten on shared machines or when multiple users log into the same application. This improves reliability for shared computers and multi-account setups while keeping device trust intact per user.
Dutch localization
Hanko now officially supports Dutch (NL). This includes UI text, backend mailing templates, and security notification emails, providing a more complete localized experience for Dutch-speaking users.
What's Changed
- feat: make elements use PKCE flow per default by @lfleischmann in #2365
- feat: add alphanumeric passcodes by @FreddyDevelop in #2334
- feat: add external key provider aws kms by @FreddyDevelop in #2342
- feat: add security notifications by @irby in #2312
- feat: add dutch translations by @Harm-Nullix in #2352
- feat: add dutch translations (backend mailing) by @Harm-Nullix in #2356
- feat: add dutch translations for security notifications by @lfleischmann in #2364
- feat: support multiple users per device for device trust by @fadlikadn in #2360
- ci: exclude examples from dependabot scan by @lfleischmann in #2369
- ci: fix dependabot exclude path for examples by @lfleischmann in #2375
- ci: fix dependabot exclude path again by @lfleischmann in #2376
- ci: make workflows ready for trusted publishing by @lfleischmann in #2313
- ci: update node in build frontend workflow by @lfleischmann in #2329
- chore: remove fresh example by @lfleischmann in #2328
- chore: update preact by @lfleischmann in #2337
- chore: autogenerate config JSON schema by @github-actions[bot] in #2344
- chore: autogenerate config JSON schema by @github-actions[bot] in #2346
- chore: autogenerate config JSON schema by @github-actions[bot] in #2363
- chore: autogenerate config JSON schema by @github-actions[bot] in #2366
- chore: update examples by @lfleischmann in #2345
New Contributors
- @Harm-Nullix made their first contribution in #2352
- @fadlikadn made their first contribution in #2360
Full Changelog: backend/v2.3.0...backend/v2.4.0