Zum Hauptinhalt springen

February '26 news

· 3 Minuten Lesezeit
Heiner
Heiner
Seatsurfing Developer

In February we focused on account security and smoother user provisioning: Passkeys (WebAuthn), TOTP-based multi-factor authentication, and tighter session handling. We also introduced an email invitation flow so new users can set their own passwords, plus a set of smaller UI and notification fixes.

🔑 Passkeys (WebAuthn) support

Seatsurfing now supports Passkeys / WebAuthn for authentication. This can make sign-in both more secure and more user-friendly, especially on modern devices.

Passkeys are a modern alternative to passwords, based on public-key cryptography. Instead of typing a password, you sign in using a credential stored on your device (often unlocked via Face ID/Touch ID or a platform PIN). This reduces phishing risk and eliminates password reuse.

🛡️ Multi-Factor Authentication with TOTP

February introduced TOTP-based (time-based one-time password) MFA (multi-factor authentication) support and made the overall MFA experience clearer.

TOTPs (Time-based One-Time Passwords) are short-lived codes generated by authenticator apps (for example on a phone). When enabled, sign-in requires both your primary credential (like a password or Passkey) and a fresh code from your authenticator, which significantly reduces the risk of account takeover if a password is phished or leaked.

🔒 Session IDs for tighter security

To strengthen session handling, we introduced session IDs. This is a behind-the-scenes security improvement, but it helps make authentication and session management more robust.

🚀 Improved user onboarding

February’s onboarding improvements are mainly about password handling when adding new users.

Admins can now invite users instead of creating an account with a pre-defined initial password. New users receive an email invitation and can choose their own password during setup — which means admins no longer need to distribute credentials manually.

In addition, when creating or editing users, admins can explicitly select the authentication method (password, Identity Provider, or invitation), and the binding between users and their configured auth provider was tightened up.

🧰 Fixes and polish

Some smaller changes that still matter day-to-day:

  • Correctly encode UTF-8 characters in email subjects
  • Fix copying usernames to the clipboard
  • Improve access token expiry handling
  • Optimize credential handling in the frontend
  • Ensure external links opened in new tabs use rel="noopener noreferrer"
  • Add browser console logging when localStorage access fails (helps diagnose hardened browser setups)

📦 Dependency & translation updates

As usual, February also included dependency bumps (UI and backend) and translation updates to keep everything current and stable.

📋 More details

As always, you can find detailed information about all February releases and technical changes on our GitHub releases page.

Ready to transform your workplace with smart desk booking? Get started with Seatsurfing today for free or get in touch with us.