Skip to main content


The Hanko Authentication API is the complete software toolkit for implementing FIDO®-based strong multi-factor authentication for securing access to online applications.

Core components#

  • Intuitive, developer-friendly API backed by a FIDO® certified server that leverages the FIDO®2 set of protocols: WebAuthn (W3C Web Authentication) and CTAP (Client-to-Authenticator Protocol)
  • The Hanko Console is the place to manage your Hanko experience. Configure your applications, authentication flows & policies and track usage with live statistics.
  • Client- and server-side SDKs make integration into existing applications as easy as possible.
  • Built with a cloud-native approach, it is usable as-a-Service in a high-available public cloud environment or on-premise in Docker, kubernetes or VM environments.

Supported devices#

FIDO®2/WebAuthn aims at replacing passwords with phishing-resistant, public-key-cryptography-based credentials that are created and stored on hardware devices (so-called authenticators).

Because FIDO®2 and WebAuthn are open industry standards backed by corporations like Google, Microsoft and Apple they are supported across a wide range of modern end-user devices. With the Hanko Authentication Service providing the necessary infrastructure, this allows for a number of ways organizations can enable strong and secure authentication in their applications.

Platform authenticators#

Modern laptops, desktops and mobile devices like smartphones and tablets can function as authenticators in a FIDO®2/WebAuthn context. In the FIDO world they are referred to as platform authenticators.

Apple's Touch ID and Face ID, Windows Hello or the biometric capabilities of Android devices are examples of such technologies. Their omnipresence in both personal and workplace environments removes the obligation for proprietary software or the provisioning of additional dedicated hardware devices. This leads to increasing convenience for end-users and organizations alike.

Technologies like the "Trusted Platform Module" (TPM) or the Secure Element / Secure Enclave on mobile devices ensure the secure storage of the credentials used for authentication.

Security Keys#

Besides platform authenticators, Hanko also supports the use of security keys: cryptographically backed devices capable of communication through a variety of interfaces including USB, near-field communication (NFC), or Bluetooth. FIDO security keys are available from a number of manufacturers like Yubico, Feitian or Nitrokey. Their advantage over platform authenticators is that they are not bound to a specific device. They can roam between devices which is why they are also called roaming authenticators.

Use cases#

The possibility of using different types of authenticators enables flexible authentication flows and ensures great user experiences. The Hanko Authentication API enables passwordless, usernameless, as well as second-factor authentication scenarios.

Passwordless authentication#

In this scenario, users provide only a username to initiate authentication. The browser then presents a device-native dialogue to the user. Once confirmed by the user by providing biometrics or a PIN, the unlocked private key will be used to locally sign the authentication request and pass it back to the online application. This process is also known as user verification.

Using something the user has (private key on an authenticator device) and something the user is (biometrics) or knows (PIN) makes this a multi-factor authentication mechanism. No passwords needed.

Passwordless authentication flow visualization
Figure 1: Passwordless authentication flow

Usernameless authentication#

In a usernameless scenario, there is no need for a user to provide either a username or password. It is very similar to the passwordless scenario. The only difference is that the information what private credential material to use with a specific service is stored and handled by the client/authenticator. This type of credential is also referred to as a client-side discoverable credential. If there are multiple credentials registered for a service, the user is first prompted to select which credential to use and then performs user verification like in the passwordless scenario.

Usernameless authentication flow visualization
Figure 2: Usernameless authentication flow

Second Factor#

In this scenario, users still provide a username and a password. The FIDO authenticator serves as the traditional second factor, the possession of the device. It also ensures that a user is physically present and in control of an authenticator device. User presence is provided through simply tapping the capacitive touch sensor of a security key.

Second factor authentication flow visulization
Figure 3: Second factor authentication flow