Federated Logins vs. Passkeys: What’s the Difference?

Federated Logins vs. Passkeys: what’s the difference? If you have ever used a website or an app that requires you to sign in, you have probably encountered different methods of authentication. Some of them ask you to create a username and password, some of them allow you to log in with another service (such as Google or Facebook), and some of them use a device-specific credential called a Passkey. But what are the differences between these methods, and which one is better for your security and convenience? In this article, we will compare Federated Logins and Passkeys, two modern approaches to authentication that aim to replace passwords.

What Are Federated Logins?

Federated Login, also known as identity federation, or federated authentication, is a method that allows users to access multiple applications or services using a single set of credentials. For example, if you have a Google account, you can use it to log in to Gmail, YouTube, Google Drive, and other Google services without having to enter your password each time. You can also use your Google account to log in to third-party websites and apps that support Federated Login, such as Medium, Spotify, or Airbnb.

The main difference between Federated Logins and passwords is that Federated Logins do not store your actual credentials on the websites or apps you use. Instead, they rely on an identity provider (IdP), such as Google or Facebook, to manage your authentication. When you log in with an IdP, the website or app you use (called the service provider or SP) requests a token or assertion from the IdP that verifies your identity and grants you access. The IdP can also share some information about you with the SP, such as your name, email address, or profile picture.

What Are Passkeys?

Passkeys are a new type of digital credential based on public-key cryptography and FIDO standards. They are tied to a user account and a website or app. Passkeys allow users to authenticate without having to enter a username or password or provide any additional authentication factor. Instead, users can use their device’s screen lock, such as a fingerprint sensor, facial recognition, or PIN, to unlock their Passkey and sign in.

The main difference between Passkeys and passwords is that Passkeys are always strong and phishing-resistant. Unlike passwords, which can be weak, reused, stolen, or guessed by hackers, Passkeys are generated by cryptographic algorithms and stored securely on the user’s device. Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or operating system handles verification.

Are Logins With Passkeys Multi- or Single-Step Authentication?

The short answer is they can be both.

A passkey is a credential that combines something you have (your device) and something you know or something you are (your device’s PIN or biometric lock). Therefore, a passkey can meet multi-factor authentication requirements in a single step. However, you can also use a passkey along with another credential, such as a password or a federated login. This would provide an additional layer of security and convenience for the user.

For example, suppose you want to sign in to a website that supports both federated logins and passkeys. You can choose to use either one of them as your primary credential. If you use a federated login, such as your Google account, you can also use a passkey as a second authentication factor. This would require you to unlock your device with your screen lock after selecting your Google account. Alternatively, if you use a passkey as your primary credential, you can also use a federated login as a backup option. This would allow you to sign in with your Google account if you lose access to your device or your passkey.

In summary, a passkey is not always a single-step authentication. You can use it as a single multifactor credential or as a second authentication step depending on the website or app’s policy and the user’s preference. Moreover, you can use passkeys and federated identity in the same system, either together to form a stronger MFA login or one as the fallback method of the other.

Federated Logins vs. Passkeys: What’s the Difference?

The main difference between Federated Logins and Passkeys: For Federated Logins, credentials are stored on the IdP server. In contrast, credentials are stored on the user’s device for Passkeys. Another essential difference between Federated Logins and Passkeys is how they use cryptographic credentials to authenticate the user. Federated Logins use credentials to establish a trust relationship with an identity provider, which then provides a token or assertion to the service provider. Conversely, Passkeys use credentials to directly authenticate the user to the service provider, without involving an identity provider.

Comparing Federated Logins and Passkeys: Essential Differences

Other essential differences between Federated Logins and Passkeys:

• Federated Logins depend on the IdP policy for credential strength, whereas Passkeys are always strong regardless of any policy.
• The IdP does credential verification for Federated Logins, while the browser/OS does credential verification for Passkeys.
• Federated Logins allow credential sharing between SPs and IdPs, but Passkeys do not share any credentials with anyone.
• Credential recovery depends on the website/app policy for Passkeys. On the other hand, Federated Logins rely on the IdP policy for credential recovery.
• Federated Logins require users to click or tap to authenticate, but Passkeys require users to use their device’s screen lock or a FIDO security key to authenticate.
• Federated Logins are compatible with websites and apps that support the same IdP. Conversely, Passkeys are compatible with browsers and operating systems that support the same protocol.
• Depending on how you implement them, Federated Logins can offer a smooth or complex user experience. In comparison, Passkeys can offer a smooth user experience regardless of how you implement them.
• Federated Logins have a high or low user adoption depending on the popularity of the IdP. On the flip side, Passkeys have a low user adoption due to their novelty and unfamiliarity.
• Federated Logins have low or high user privacy depending on how much data they collect and share. In contrast, Passkeys have high user privacy because they do not collect or share any data.
• Depending on how secure the IdP is, Federated Logins offer high or low user security. Similarly, Passkeys have high user security because they are strong and phishing-resistant.

Federated Logins vs. Passkeys: Pros and Cons

Both Federated Logins and Passkeys offer advantages over passwords in terms of security and convenience. However, they also have some drawbacks and limitations that users should be aware of.

Federated Logins

Pros:

• You only need to remember one username and password for your IdP account
• You can access multiple services with one click or tap
• Avoid creating and managing multiple accounts on different websites and apps
• You can benefit from the security features of your IdP, such as encryption, two-factor authentication, or account recovery
• You can control what information you share with SPs through your IdP settings

Cons:

• Your authentication depends on your IdP; if your IdP account is compromised or unavailable, you may lose access to all the services you use with it
• You may not have full control over your privacy; some IdPs may collect and share more data about you than you want
• You may face compatibility issues; not all websites and apps support Federated Login with your preferred IdP
• You may encounter user experience problems; some websites and apps may require additional steps or verification when you use Federated Login

Passkeys

Pros:

• You don’t need to remember any username or password for any website or app
• Passkeys cannot be guessed, reused, or phished
• Passkeys do not rely on any IdP and do not share any information about you with the websites. Your device creates a unique pair of keys for each website you sign up with a Passkey. The keys are secret codes that only your device and the website know. The website gets the public key, which is different for each website. The public key does not reveal anything about you or your device. Even if two websites share their public keys, they cannot link them to the same user or device. This feature applies to Passkeys but not to Federated Logins. Federated Logins use a single identity provider (IdP) to authenticate you across multiple websites. The IdP knows who you are and can share some information about you with the websites you visit. The websites can also recognize that you are using the same IdP and potentially track your activity.
• High security without compromising convenience; Passkeys are strong and phishing-resistant by design
• You can switch devices seamlessly; once you create and register a Passkey, you can use it on any device that supports it without needing to re-enroll
• You can reduce costs for sending SMS or email verification codes; Passkeys can meet multi-factor authentication requirements in a single step

Cons:

• Your device is your authentication; you may lose access to your Passkey if you lose, damage, lock, or have your device stolen
• You may not have full compatibility; not all browsers and operating systems support Passkeys yet
• You may face user adoption challenges; Passkeys are relatively new and unfamiliar to most users
• You may encounter technical difficulties; Passkeys are based on complex cryptographic protocols that may have bugs or vulnerabilities
• You can save some types of Passkeys (like those on your phone) to your phone’s keychain and sync them to a cloud backup and other devices that you own. Theoretically, this reduces their security to the security of your cloud sync provider even if it has the advantage of easily restoring your Passkeys if you lose or break your phone. However, this disadvantage does not apply to all types of Passkeys. For example, passkeys on YubiKeys are not sharable/copyable. They are bound to the key and cannot be backed up.

Federated Logins vs. Passkeys: Comparison Table

Here is a table that compares some of the features of Federated Logins and Passkeys:

Feature	Federated Logins	Passkeys
Number of credentials	One for each IdP	One for each website/app
Credential storage	On the IdP server	On the user device
Credential strength	Depends on the IdP policy, the user’s choice, and behavior	Always strong
Credential verification	By the IdP	By the browser/OS, FIDO security, or platform
Credential sharing	Between SPs and IdPs	None
Credential recovery	Depends on the IdP policy	Depends on the website/app policy
Authentication method	Click or tap	Screen lock or FIDO security key
Compatibility	Depends on the SP and IdP support	Depends on the browser/OS and website/app support
User experience	Smooth or complex	Smooth
User adoption	High or low	Low
User privacy	Low or high	High
User security	High or low	High
User control	Low	High
User trust	Require more user trust.	Require less trust.

Comparing Federated Logins vs. Passkeys

If you are interested in a really in-depth comparison between federated logins and passkeys, we have just that ready for you!

Let us now deep-dive into each feature and see the Federated Logins vs. Passkeys comparison for each. We will also mention how passwords fit in all those.

If that’s too much text for you, we understand! So, here’s a tl;dr on Federated Logins vs. Passkeys:

TL;DR: Passkeys vs. Federated Logins

If you are tired of passwords, you have two better options: Federated Logins and Passkeys. Federated Logins let you use one password for many services, but you still have to remember and type it. Passkeys can free you from passwords altogether, and let you sign in with just a tap on your device. Federated logins store your password on a third-party server, which could be hacked or misused. In contrast, passkeys store only a public key on the service provider server, which is much safer and more private. In addition to that, Federated Logins depend on the third party to verify who you are, which could be slow or unreliable. Whereas Passkeys use your device’s screen lock or biometric sensor, which is fast and convenient.

Another key point is that Federated Logins share your personal information with other services, which could compromise your privacy. On the contrary, Passkeys sync only across your devices, which gives you more control. While Federated Logins work with most browsers and systems, they are not very secure or user-friendly. Passkeys do not find wide support yet. But Google Chrome and Android already support them.

All in all, Passkeys are the future of authentication. Therefore, if you want to enjoy a more secure, private, and convenient online experience, you should consider switching to passkeys as your preferred authentication method.

Number of credentials

This Passkeys vs. Federated Logins feature refers to how many credentials (such as usernames, passwords, email addresses, etc.) the user has to create and remember for different websites/apps.

• Federated Logins: The user has to create and remember one credential for each identity provider (IdP) they use. An IdP is a third-party service that provides authentication for different websites/apps, such as Google, Facebook, Twitter, etc. The user can use their IdP credential to log in to different websites/apps that support federated logins. This may result in a smaller number of credentials that are easier to manage and recall. However, some IdPs may allow users to link multiple accounts or identities under one credential, such as Google or Facebook. Similarly, some service providers (SPs) may allow users to link multiple IdPs under one account, such as GitHub or Stack Overflow. This may affect the number of credentials that the user has to create and remember.
• Passkeys: The user has to create and remember one credential for each website/app they use. However, unlike passwords, passkeys are not something that the user has to type or paste. Cryptographic algorithms generate Passkeys and store them on the user’s device. The browser/OS or a FIDO security key verifies them. The user can use their passkey to log in to different websites/apps that support passkeys. This may result in a large number of credentials that are easy to manage and recall.

How does this compare to passwords?

The user has to create and remember one credential for each website/app they use. This may result in a large number of credentials that are hard to manage and recall.

Credential storage

This Passkeys vs. Federated Logins feature refers to where the user’s credentials are stored and who has access to them.

• Federated Logins: The user’s credentials are stored on the IdP server. The user has to trust that the IdP will protect their credentials from unauthorized access or disclosure. The user also has to trust that the SP will respect their consent and preferences when requesting their credentials from the IdP. Some IdPs may also use password managers to store their credentials on a cloud service or a local database, which may have different levels of security and reliability.
• Passkeys: The user’s passkeys are stored on the user’s device. The user does not have to trust anyone but themselves to protect their passkeys from unauthorized access or disclosure. The user also does not have to share their passkeys with anyone but themselves. Some passkeys may also be device-bound and require a FIDO security key or platform to verify them, which may add an extra layer of security.

How does this compare to passwords?

The user’s passwords are either on the website/app server or on the user’s device. The website/app must protect the user’s passwords from unauthorized access or disclosure if they are on the server. One way to do this is storing salted hashes of passwords instead of cleartext passwords. If they are stored on the user device, the user has to protect their device from theft or loss. Some users may also use password managers to store their passwords on a cloud service or a local database, which may have different levels of security and reliability.

Credential strength

This Passkeys vs. Federated Logins feature refers to how strong and secure the user’s credentials are against various types of attacks, such as brute force, guessing, phishing, keylogging, etc.

• Federated Logins: The strength and security of federated logins depend on the IdP policy, the user’s choice, and behavior. Some IdPs may offer strong and unique credentials for different websites/apps, which may increase the user’s security. Some IdPs may also enable multi-factor authentication (MFA) for their credentials, which may add an extra layer of security. However, some IdPs may offer weak or reused credentials for different websites/apps, which may decrease the user’s security. Some users may also expose their credentials to third parties, such as hackers, phishing, keyloggers, etc., which may compromise their security.
• Passkeys: The strength and security of passkeys are always high because they are cryptographically generated and verified by the browser/OS or a FIDO security key. The user does not have to worry about password breaches, phishing, keylogging, brute force attacks, etc. The user can rely on their device or FIDO security key to verify their identity and authenticate themselves. The user can also revoke their passkeys if they lose their device or FIDO security key.

How does this compare to passwords?

The strength and security of passwords depend on the user’s choice and behavior. Some users may choose strong and unique passwords for different websites/apps, which may increase their security. However, some users may choose weak or reused passwords for different websites/apps, which may decrease their security. Some users may also expose their passwords to third parties. Passwords are weak if not bolstered with a second factor, such as a FIDO security key or Mobile Push.

Credential verification

This Passkeys vs. Federated Logins feature refers to how the user’s credentials are verified and who is responsible for verifying them.

• Federated Logins: The user’s credentials are verified by the IdP that they use. The user has to trust that the IdP will provide a secure and reliable verification service for their credentials. The user also has to trust that the IdP will not misuse or abuse their credentials. Further, the SP has to trust that the IdP will provide a valid and authentic verification service for the user’s credentials. Moreover, the SP also has to respect the user’s consent and preferences when requesting their credentials from the IdP.
• Passkeys: The user’s passkeys are verified by the browser/OS or a FIDO security key that they use. The user does not have to trust anyone but themselves to verify their passkeys. Similarly, the user does not need to share their passkey with anyone else. The website/app has to trust that the browser/OS or the FIDO security key will provide a valid and authentic verification service for the user’s passkeys. The website/app also has to respect the user’s choice and privacy when requesting their passkeys from them.

How does this compare to passwords?

The user’s passwords are verified by the website/app that they use. The user has to trust that the website/app will provide a secure and reliable verification service for their passwords. The user also has to trust that the website/app will not misuse or abuse their passwords.

Credential sharing

This Passkeys vs. Federated Logins feature refers to how much and with whom the user’s credentials are shared.

• Federated Logins: The user’s credentials are shared between SPs and IdPs. The user has to grant permission to the SPs and IdPs to access and use their credentials for authentication purposes. Some users may prefer this because it reduces the number of credentials they have to create and remember. However, some users may dislike this because it increases the risk of credential compromise or misuse.
• Passkeys: The user’s passkeys are not shared with anyone. The user can store their passkeys on their device and verify them with their browser/OS or FIDO security key. The user does not have to grant permission to anyone to access or use their passkeys for authentication purposes. Some users may prefer this because it increases their privacy and security. However, some users may dislike this because it limits their device compatibility.

How does this compare to passwords?

The user’s passwords are not shared with anyone unless they choose to do so. Some users may choose not to share their passwords with anyone, which may increase their privacy and security. However, some users may choose to share their passwords with other websites/apps or third parties, such as password managers, autofill, autocomplete, etc., which may decrease their privacy and security.

Credential recovery

This feature refers to how the user can recover their credentials if they forget or lose them.

Some websites/apps may offer easy and convenient ways for the user to recover their credentials, such as email confirmation, phone verification, security questions, etc. However, some websites/apps may provide difficult ways for the user to recover their passwords, or even no recovery option at all. This feature is largely dependent on the IdP/website/app policy.

Authentication method

This Passkeys vs. Federated Logins feature refers to how the user authenticates themselves to the website/app using their credentials.

• Federated Logins: The user authenticates themselves by clicking or tapping on their preferred IdP on the website/app. This may be easy and fast for the user, especially if they are already logged in to their IdP. The user may also have to enter a captcha or a second factor of authentication, such as a code or a token, which may add more steps and time to the authentication process.
• Passkeys: The user authenticates themselves by unlocking their device or using their FIDO security key on the website/app. This may be easy and fast for the user, especially if they use biometric authentication, such as fingerprint or face recognition. The user does not have to enter a captcha or a second factor of authentication, which may reduce the steps and time of the authentication process.

How does this compare to passwords?

The user authenticates themselves by typing or pasting their password into a text field on the website/app. This may be tedious and error-prone for the user, especially if they have to enter long or complex passwords.

Compatibility

This Passkeys vs. Federated Logins feature refers to how compatible the authentication method is with different devices, browsers, operating systems, websites/apps, etc.

• Federated Logins: The compatibility of federated logins depends on the SP and IdP support. Some SPs and IdPs may not support federated logins as an authentication option, which limits the user’s choice and experience. Some SPs and IdPs may also have different levels of integration and interoperability, which may affect the user’s experience and security.
• Passkeys: The compatibility of passkeys depends on the browser/OS and website/app support. Some browsers/OSs may not support passkeys as an authentication method, which limits the user’s device compatibility. Some websites/apps may not implement or enable passkeys as an authentication option, which limits the user’s choice and experience.

How does this compare to passwords?

The compatibility of passwords is high or low depending on various factors. Some websites/apps may have different password policies and requirements, such as length, complexity, expiration, etc., which may affect the user’s security. Some devices, browsers, operating systems, etc., may have different features and functions that support or hinder password management and entry, such as autofill, autocomplete, keyboard layout, etc., which may affect the user’s experience.

User experience

This Passkeys vs. Federated Logins feature refers to how easy and enjoyable it is for the user to use the authentication method.

• Federated Logins: The user experience of federated logins may be smooth or complex depending on various factors. The user experience of federated logins may be smooth because the user only has to click or tap on their preferred IdP to log in to different websites/apps. This may be easy and convenient for the user, especially if they are already logged in to their IdP. However, some factors may make the user experience of federated logins complex. These factors include account linking, consent screens, redirections, etc.
• Passkeys: The user experience of passkeys may be smooth because the user only has to unlock their device or use their FIDO security key to log in to different websites/apps. The user does not have to remember, type, paste, manage, or update any passwords. This may be easy and convenient for the user, especially if they use biometric authentication, such as fingerprint or face recognition.

How does this compare to passwords?

The user experience of passwords may be complex or smooth depending on various factors. The user experience of passwords may be complex because the user has to remember, type, paste, manage, and update multiple passwords for different websites/apps. This may be tedious and frustrating for the user, especially if they forget or lose their passwords. However, some tools and techniques may make the user experience of passwords smoother, such as password managers, autofill, autocomplete, etc.

User adoption

This Passkeys vs. Federated Logins feature refers to how widely and frequently the user uses the authentication method.

• Federated Logins: The user adoption of federated logins is high or low depending on various factors, such as user preference, awareness, education, trust, convenience, privacy, security, etc. Some users may prefer federated logins over passwords because they are easier and faster to use. However, some users may avoid federated logins due to privacy or security concerns.
• Passkeys: The user adoption of passkeys is low because they are relatively new and unfamiliar to most users and websites/apps. However, some studies have shown that users are interested in and willing to use passkeys as an alternative to passwords, especially if they are easy to use and secure. Nevertheless, some barriers and challenges prevent the widespread adoption of passkeys, such as lack of awareness, education, standardization, and interoperability. Moreover, signing in with passkeys is a feature that not too many websites, apps, and services offer. Passkeys.directory is an index of them.

How does this compare to passwords?

The user adoption of passwords is high because they are widely used and accepted as the default authentication method for most websites/apps. However, some users may be dissatisfied with passwords due to their complexity and insecurity.

User privacy

This Passkeys vs. Federated Logins feature refers to how much the user’s personal data and online activity are protected from unauthorized access or disclosure.

• Federated Logins: The user privacy of federated logins is low or high depending on how the user, the SP, and the IdP handle and protect the user’s credentials and personal data. Some SPs and IdPs may collect, store, or share the user’s credentials and personal data in an insecure or unethical way, which may compromise the user’s privacy. Some users may also grant excessive or unnecessary permissions to the SPs and IdPs, which may compromise their privacy.
• Passkeys: The user privacy of passkeys is high because the user does not have to share their credentials or personal data with anyone. The user can store their credentials on their device and verify them with their browser/OS or FIDO security key. The user can also choose which websites/apps to use passkeys with.

How does this compare to passwords?

The user privacy of passwords is low or high depending on how the user and the website/app handle and protect the passwords and personal data. Some websites/apps may collect, store, or share the user’s passwords and personal data in an insecure or unethical way, which may compromise the user’s privacy. Some users may also expose their passwords and personal data to third parties, such as hackers, phishing, keyloggers, etc., which may compromise their privacy.

User security

This Passkeys vs. Federated Logins feature refers to how much the user’s credentials and online activity are protected from unauthorized access or modification.

• Federated Logins: The user security of federated logins is high or low depending on how the user, the SP, and the IdP handle and protect the user’s credentials and authentication process. Some SPs and IdPs may use strong or weak encryption or hashing algorithms to protect the credentials, which may affect the user’s security. Some users may also enable or disable MFA or biometric authentication for their IdPs, which may affect their security.
• Passkeys: Passkeys offer high user security because they eliminate the risks of password breaches, phishing, keylogging, brute force attacks, and other threats. The user can trust their device or FIDO security key to confirm their identity and sign in. The user can also cancel their passkeys if they misplace their device or FIDO security key.

How does this compare to passwords?

The user security of passwords is low or high depending on how the user and the website/app handle and protect the passwords. Some websites/apps may use weak or outdated encryption or hashing algorithms to protect the passwords, which may compromise the user’s security. Some users may also use weak or reused passwords for different websites/apps, which may compromise their security.

User control

This Passkeys vs. Federated Logins feature refers to how much control the user has over their credentials and authentication process.

• Federated Logins: The user control of federated logins is low because the user depends on the IdP for credential storage, verification, recovery, and sharing. The user has little or no control over how the IdP handles and protects their credentials and personal data. The user also has to trust the SP to respect their consent and preferences.
• Passkeys: The user control of passkeys is high because the user can store their credentials on their device and verify them with their browser/OS or FIDO security key. The user has full control over how they handle and protect their credentials and personal data. The user also does not have to share their credentials with anyone.

How does this compare to passwords?

The user control of passwords is low or high depending on how much control the user has over their passwords and the authentication process. Some websites/apps may impose strict or lax password policies and requirements, which may limit or expand the user’s control. Some users may also delegate or retain their password management to third parties, such as password managers, autofill, autocomplete, etc., which may affect their control.

User trust

This Passkeys vs. Federated Logins feature refers to how much trust the user has in the authentication method and the parties involved.

• Federated Logins: The user has to trust the IdP and the SP to protect their credentials and personal data. Also, the user has to trust that the IdP will provide a secure and reliable authentication service for different websites/apps. Finally, the user also has to trust that the SP will respect their consent and preferences. All in all, Federated Logins require a lot of trust from the user.
• Passkeys: The user does not have to trust anyone but themselves. The user can rely on their device or FIDO security key to verify their identity and authenticate themselves. Of course, the user does not have to share their credentials with anyone.

How does this compare to passwords?

The user trust of passwords is low or high depending on how much trust the user has in the website/app and their password management tools and techniques. Some websites/apps may have poor or good reputations and track records in protecting the passwords and personal data of their users, which may affect the users’ trust. Some users may also trust or distrust their password managers, autofill, autocomplete, etc., which may affect their trust.

Interested in Passkeys? Sign Up Here!

Support for Passkeys is on the Rublon Product Roadmap.

If you are interested in multi-factor authentication (MFA) with Passkeys, let us know and we’ll inform you once this feature is available.

Summing Up Passkeys vs. Federated Logins

Federated Logins and Passkeys are two modern alternatives to passwords that aim to improve the security and convenience of online authentication. Both methods have their strengths and weaknesses, and users should choose the one that best suits their needs and preferences. However, it is also possible to use both methods together, depending on the website or app. For example, you can use a Federated Login with a Passkey as a second factor, or you can use a Passkey with a Federated Login as a backup option. Ultimately, the goal is to move away from passwords and towards more user-friendly and secure authentication solutions.