Federation vs passkeys

WebAuthn, aka passkeys, are a relatively new technology which allow you to leverage public/private key cryptography to authenticate users in web applications. WebAuthn was standardized in 2021.

Passkeys are the consumer term for this process because Apple. And, frankly, the term WebAuthn doens’t mean much to normal people.

Passkeys are supported by a growing number of services; here’s a community aggregated list.

Heather Flanagan, a standards maven, wrote about the difference between federated logins (to social providers like Apple and Google or enterprise providers like Okta and Azure AD) and passkeys.

Here’s an excerpt:

Federated login technology lets users access multiple services with a single set of credentials (using passwords), while users employ passkey technology to securely pair a device to an SP. If you expect your users to be coming from the same personally owned or corporate managed devices, then an environment that just uses passkeys is something you’ll want to explore. If you expect more shared devices (like a user population that connects via a public or university library) then you’ll want to be more on the spectrum of federated logins and using passkeys only for MFA. 

The whole post is worth reading as you consider your authentication strategy. From a CIAM perspective, passkeys are gaining adoption, but are still far less accepted than federated logins.

Dan