Hanko: Shaping the Future of Open Authentication With Passkeys
In an increasingly digital world, secure authentication is crucial. Today, this often involves entering passwords that are easily forgotten or lost in a phishing attack.
As digital security evolves, passkeys have emerged as a more secure and efficient alternative to passwords. Big Tech like Apple and Google have already adopted passkeys, making end-user devices ready for a shift away from passwords. However, most applications still need to be prepared to support passkeys on the server side.
This is where Hanko comes in. It was founded by Felix Magedanz in 2018 and helps developers make applications ready to support passkeys. Whether you need a full-fledged authentication solution or simply want to integrate an API for passkey support, Hanko has got you covered and is poised to revolutionize how we log in.
Learn more about the future of open authentication with passkeys from our interview with the founder and CEO, Felix Magedanz:
Why Did You Start Hanko?
I have been a founder at heart since my university days when I started a software agency with three of my friends. We built software for money, making seven figures in revenue and employing 25 people full-time. Still, I had this itch to build a product myself, and not just software to help others realize their dreams.
A recurring pain point during application development has always been authentication. How do you verify a user is allowed to log in? There didn’t seem to be a perfect solution. At the same time, I discovered what would later be called ‘passkeys’—a new way to verify users safely and smoothly based on cryptographic and biometric signatures.
I thought If passwords were ever to be replaced, then it would be based on passkey technology. I fell in love with the technology and founded Hanko to help make passkeys the future authentication standard.
How Does Authentication With Passkeys Work?
Passwords have been used for authentication since the internet started. It’s a piece of knowledge that’s only in your head, hard to obtain, but also easily forgotten.
If you want to replace passwords, you need to come up with a new factor and bind it to an individual so that no attacker can abuse it. Such a factor can be your Face ID, Touch ID, or simply a device pin that only you know and that only works on your devices. The point about passkeys is that they couple such a local authentication factor to a private cryptographic key stored on your device, which results in strong 2-factor authentication that works without a password.
Private keys are the counterparts of public keys in asymmetric encryption. For example, to encrypt messages, the public key is shared publicly so everyone can send you an encrypted message, while the private key is kept secret and only used by the recipient to read the message. Similarly, asymmetric cryptography is used for passkey authentication. A web application uses your public key to pose a computational challenge that only you with your private key can solve, proving that it is you.
Currently, suppose you visit a website and click login. You need to type in a username and password, and if you have enabled multifactor authentication, you also type in a one-time code from an SMS or authenticator app on your phone. That’s a lot of different steps you need to take care of. With passkeys, you will go to a website, click sign in with passkey, and then use Touch ID, Face ID, or a PIN code to log in smoothly.
While people can phish your password and misuse it, logging in with a passkey is tied to the private key on your device. So even if you just use a PIN code and someone steals that PIN code, it won’t be of much use, as one can use it only with your device. This makes attacks impractical and prevents them from scaling: passwords can be obtained and abused at scale with phishing emails, but you can’t steal devices at scale. It’s like getting money from an ATM: it only works with your particular bank card.
The great thing about passkeys is that Big Tech like Google and Apple already support them; your mobile phone or laptop already comes with the required cryptography tech built-in. However, the applications you use online must also support this type of cryptography, but many of them still work with password-based logins and need to adapt. That’s where Hanko comes in.
Unlike password managers, which are installed and managed by end users, supporting passkeys need to happen on the server side by whoever provides the application. Hanko enables every server to support passkeys. Whether you just need an API to support passkeys or a fully-fledged authentication solution, with our open-source project or our hosted offering, Hanko Cloud, you can build that functionality directly into your app and make it more secure and future-proof.
How Did You Evaluate Your Startup Idea?
In 2015, we already thought that passkeys would revolutionize online security. We started out closed-source, pursuing an enterprise sales play, and found early customers, including SAP. We were way too early, though; no one knew about passkeys at that time, and it took much longer than anticipated for devices to support passkey authentications.
We stuck with the problem and watched passkey technology develop over time. We knew it was just a matter of time before passkeys prevailed. With some money in the bank and time, we were pondering what actions we could take to prepare for the shift to passkeys.
Fundamentally, we were developing a product that developers could integrate on the server side for passkey support. So we figured that going open-source would be a better strategy to ensure trust and visibility in our technology as well as to build a community. Our vision is to become part of every login, so people have to trust Hanko, and part of that is being open-source and transparent about what’s under the hood.
We’re part of a wave of commercial open-source startups. Many open-core alternatives to closed-source SaaS tools that everyone can use and self-host have emerged. However, if you want an easy and fast way to integrate and maintain them, you pay for a hosted version. For us, this is Hanko Cloud. With just a few clicks, you’re ready to go and save a lot of time on setting everything up and maintaining it. Hanko Cloud is currently in beta, with the global launch planned for Q4 this year. More than 3000 users have signed up already, and hundreds of them have integrated Hanko into their projects.
We are targeting indie developers and startups, and from there, we will move up to target corporations. Choosing an authentication solution is one of the first steps in developing an application in a startup, so we aim to be as attractive as possible for this early development stage and provide a stellar developer experience. Being open-source really helps us to be found at the right time and integrated early, just when developers start looking for a solution to their authentication problems.
If you want to know more, feel free to explore our code on GitHub*, where you’ll also find lots of useful material to get started with using Hanko.
What Advice Would You Give Fellow Deep Tech Founders?
Don’t hold back what you’re developing for too long. Launch it and get feedback as soon as possible. Smart people especially struggle with this, wanting to make their product perfect. This holds you back. You don’t have to launch publicly on ProductHunt right away, but maybe start with a private beta, show it to friends or make some of your technology available on GitHub.
Launch a preliminary version and build a community around it. Having fans greatly increases your chances of a successful big launch down the road, and you get smart folks to look at what you’re doing and give you feedback. People want to help you, even if you’re not asking for it. This is one of the coolest benefits of being a founder. But you only get that if you put yourself out there and tell the world what you’re doing.
Work on the Future of Computing at Hanko
Join our mission to build the open authentication platform for the modern web: check out job openings on our career page*.
Hanko raises 1.2M € – Press release on Hanko’s latest funding round.
On passkeys – Learn more on Hanko’s blog about how passkeys will replace passwords to enable better login security
adesso ventures invests in passkeys start-up Hanko – Press release by adesso ventures about why they invested in Hanko
*Sponsored links – we greatly appreciate the support from Hanko
Learn more about sponsoring the Future of Computing blog here