Skip to content
Novu Copilot is live in BETA - describe a workflow, ship it the same day
Novu logoNovu

Changelog

Latest updates and improvements in the improvement category.

Follow us on X

All changelog posts

  • Account Security Upgrades: Passkeys, Smarter Client Trust, zxcvbn, Turnstile

    Sign in with a passkey, skip Client Trust when 2FA is on, get real password-strength scoring at signup, and run into bot challenges only when traffic looks suspicious.

    Author:Dima Grossman
    Dima Grossman

    Four account-security improvements ship together today: passkey login, Client Trust deferring to 2FA, zxcvbn-ts password scoring, and a smart CAPTCHA on sign-up.

    Existing sessions are unaffected.

    Passkey Login

    Passkeys are now a supported authentication method for Novu accounts.

    Sign up with email and password or SSO as usual, then add a passkey from Account settings → Security.

    Your platform authenticator (Touch ID, Windows Hello, a hardware security key or a password manager like 1Password or iCloud Keychain) handles the rest.

    On your next sign-in, pick Sign in with passkey.

    Passkeys are built on WebAuthn. The private key never leaves your device, so there's nothing phishable for an attacker to capture on our side.

    You can register up to 10 passkeys per account, and they stack alongside your password and 2FA. Passkeys are an additional method, not a replacement.

    Client Trust Now Defers to 2FA

    Client Trust is our defense against credential stuffing: when someone signs in with a valid password from a new device, we send a one-time code to their email or phone.

    The catch was that this fired even on accounts with 2FA already enabled. Signing in from a new laptop meant two prompts: enter your TOTP code, then approve the new device.

    That's now collapsed into the regular MFA flow.

    If you have 2FA configured (TOTP, SMS or backup codes), Client Trust skips automatically. Your second factor already covers the new device.

    If you don't have 2FA enabled, behavior is unchanged: new devices still require a verification code by email or phone.

    This only applies to password sign-ins. Passkeys, OAuth and email links bypass Client Trust entirely.

    If you've been meaning to turn on 2FA, this is the nudge.

    Stronger Password Feedback via zxcvbn

    Password strength at signup, change and reset is now scored with zxcvbn-ts, the OWASP-recommended library for measuring real password entropy rather than pattern-matching "8 characters, one number, one symbol."

    You'll see live strength feedback as you type, and a prompt when a password technically meets the basic rules but is still weak (Password1!, qwerty123, dictionary words with predictable substitutions).

    This sits on top of our existing NIST-based minimum requirements.

    Smarter Bot Protection on Sign-up

    Sign-up is where bots show up first.

    We've moved off the old invisible CAPTCHA and onto a smart variant that uses CDN-level signals to decide whether a sign-up attempt looks suspicious.

    If it does, the user gets a quick interactive challenge (typically a checkbox). If it doesn't, which is most of the time, the challenge stays out of the way.

    Less friction for real users, more for the scripted ones.

  • Throttle Step

    The new Throttle Step allows you to limit the frequency of a workflow execution for each subscriber within a specified time window. This will prevent duplicate or excessive notifications across all channels. You can use fixed or dynamic windows. Perfect for managing high-frequency alerts, cron jobs, or multi-project notifications.

    Author:Dima Grossman
    Dima Grossman
    Throttle Step

    The new Throttle step in the Novu workflow editor allows you to limit the number of notifications a subscriber receives within a specified time frame, ensuring they receive the right amount, neither too many nor too few.

    When a trigger fires repeatedly (e.g., from cron jobs or high-frequency alerts), throttling ensures that subscribers don’t receive duplicate messages across any channel.

    Throttle Step

    You can now:

    • Configure throttling directly in the workflow editor.
    • Define Fixed or Dynamic throttle windows.
    • Limit executions by subscriberId or add a secondary grouping key from your payload (e.g., payload.projectId).
    • Prevent notifications from executing beyond your defined threshold (even for critical workflows).
    • Transparently control frequency across all channels (email, in-app, SMS, chat, push).

    Configuration options:

    • Fixed window: Set a predefined duration (e.g., “1 per hour”) with an execution threshold.
    • Dynamic window: Define flexible time ranges using trigger payloads (payload.throttleUntil or payload.customWindow).
    • Group throttling by: Combine subscriber and payload-level keys for granular control (e.g., per project or account).

    Learn more by visiting the Throttle Step documentation →

    Improvements (3)

    • Schemas now support null values for optional fields in workflows, ensuring executions no longer fail when data is intentionally unset.

    • Add support for excluding specific subscribers from topic-triggered workflow fanouts using an optional exclude array.

    • Add support for defining a custom display order of workflows in the Preferences UI, allowing prioritized workflows to appear at the top.

    Fixes (1)

    • fix(dashboard-ui): Unify and align all dashboard tables (Workflows, Subscribers, Topics, Topic Subscriptions) using the new OriginUI table component for consistent layout, pagination, and record visibility.