Hanko 2.4

[FlxMgdnz]

This release brings several security, reliability, and usability improvements across Hanko’s authentication stack. It includes stronger passcode options, better key management integration, more robust auth flows in Hanko Elements, improved device trust handling, and expanded localization support.

Alphanumeric passcodes

In addition to numeric passcodes, Hanko now supports optional alphanumeric passcodes. This increases entropy and makes passcode-based authentication more resilient against brute-force and guessing attacks.

External key providers (AWS KMS)

Hanko’s token signing engine can now be configured to use external HSMs and Key Management Systems, currently only AWS KMS is supported. This allows teams with higher security requirements to keep signing keys fully managed outside of Hanko.

Security notifications

Hanko now optionally sends email notifications for security-relevant actions (enabled by default), for example when a new passkey is added to an account. These notifications help users detect suspicious activity early and improve overall account security.

PKCE by default in Hanko Elements

Hanko Elements now uses PKCE-based flows by default. This resolves several issues with third-party integrations, especially in setups where the backend is not running on the same domain as the frontend.

Multi-user device trust support

Device trust cookies are no longer overwritten on shared machines or when multiple users log into the same application. This improves reliability for shared computers and multi-account setups while keeping device trust intact per user.

Dutch localization

Hanko now officially supports Dutch (NL). This includes UI text, backend mailing templates, and security notification emails, providing a more complete localized experience for Dutch-speaking users.

What's Changed

• feat: make elements use PKCE flow per default by @lfleischmann in feat: make elements use PKCE flow per default #2365
• feat: add alphanumeric passcodes by @FreddyDevelop in feat: add alphanumeric passcodes #2334
• feat: add external key provider aws kms by @FreddyDevelop in feat: add external key provider aws kms #2342
• feat: add security notifications by @irby in Add Security Notifications #2312
• feat: add dutch translations by @Harm-Nullix in feat(i18n): add dutch translations #2352
• feat: add dutch translations (backend mailing) by @Harm-Nullix in feat(i18n): add dutch translations (backend mailing) #2356
• feat: add dutch translations for security notifications by @lfleischmann in feat: add dutch translations for security notifications #2364
• feat: support multiple users per device for device trust by @fadlikadn in feat(mfa): support multiple users per device for device trust #2360
• ci: exclude examples from dependabot scan by @lfleischmann in ci: exclude examples from dependabot scan #2369
• ci: fix dependabot exclude path for examples by @lfleischmann in ci: fix dependabot exclude path for examples #2375
• ci: fix dependabot exclude path again by @lfleischmann in ci: fix dependabot exclude path again #2376
• ci: make workflows ready for trusted publishing by @lfleischmann in ci: make workflows ready for trusted publishing #2313
• ci: update node in build frontend workflow by @lfleischmann in ci: update node in build frontend workflow #2329
• chore: remove fresh example by @lfleischmann in chore: remove fresh example #2328
• chore: update preact by @lfleischmann in chore: update preact #2337
• chore: autogenerate config JSON schema by @github-actions[bot] in chore: autogenerate config JSON schema #2344
• chore: autogenerate config JSON schema by @github-actions[bot] in chore: autogenerate config JSON schema #2346
• chore: autogenerate config JSON schema by @github-actions[bot] in chore: autogenerate config JSON schema #2363
• chore: autogenerate config JSON schema by @github-actions[bot] in chore: autogenerate config JSON schema #2366
• chore: update examples by @lfleischmann in chore: update examples #2345

New Contributors

• @Harm-Nullix made their first contribution in feat(i18n): add dutch translations #2352
• @fadlikadn made their first contribution in feat(mfa): support multiple users per device for device trust #2360

Full Changelog: backend/v2.3.0...backend/v2.4.0

---

This discussion was created from the release Hanko 2.4.