Comparing Federated Logins and Passkeys: Which One Fits Your Needs?

(Spoiler Alert: the answer might be “both”!)

This is a slightly technical article trying to capture how two different types of authentication mechanisms, federated login and passkeys, compare. Despite how similar they might look to the user because of the design of the login page, they are ultimately quite different things!

When websites require you to log in, you often have a few options in how that works.

1. You can use a username and password (and MFA!) that you’ve established for that website in the past.
2. You can use a federated login where you log into another service (e.g., using Google or university or employer account).
3. You can use a credential that’s local to your device called a passkey.

So, from an individual’s perspective, there isn’t much of a difference. The website asks you for information, you provide it, and if it matches what they expect, you get access. The underlying technology does not matter.

Except it does.

Beyond the Basics of Modern Login Techniques

Each login method possesses distinct strengths and weaknesses that determine how easily someone can track your activity on the web or hack your accounts. Moreover, you can mix and match these techniques based on your use case. You can have federated authentication using passkeys to log in. Or, you can use a passkey as a second authentication factor (a la MFA) along with a password. At the end of the day, you get to ask “what problem are you trying to solve?”

Now, all that said, if you are looking for a checklist of what to do, when to do it, and how to do it, this post is going to be Very Disappointing. Instead, I’m aiming for improving your understanding regarding what federated login and passkeys even look like. We’re not going to talk about basic username/password combinations and how horrible those are for any use case requiring a decent level of security; there’s been plenty written about that. 

Federated Logins

Federated login, also known as Single Sign-On (SSO), Identity Federation, or Federated Authentication, is a method that allows users to access multiple applications or services using a single set of credentials. “In a federated system, an identity provider (IdP) manages a user’s authentication, authenticates the user, and provides a token or assertion to the service providers (SPs) without revealing the user’s actual credentials. Users can then access various services without recalling separate usernames and passwords for each service. The IdP can also add information such as “this individual affiliates with this organization.” Sometimes, this affiliation data becomes the deciding factor, and the individual cannot independently assert and be believed.”

Characteristics of Federated Authentication

What are the benefits of federated login? Here are some examples:

• It is familiar to the individual and looks a lot like usernames and passwords, but with a lot more infrastructure underneath.
• There are fewer passwords for the individual to remember (they can keep coming back to just the one).
• It is possible, with a bit more infrastructure, to give the individual control over what information is released to the SP. 

That said, some people do have serious concerns about federated logins:

• There is the concern that the IdP can see what SPs the individual has logged in to; that means the IdP can track your access/behavior (which isn’t always a bad thing, especially in enterprise settings, but it still makes people anxious).
• Some perceive a risk of too many “eggs” (aka, access to many services across a variety of vendors through a single account) under one umbrella.

So, to summarize the key characteristics of federated login technology:

• Centralized authentication: User credentials are managed by the identity provider.
• Identity propagation: The identity provider shares an authentication token with service providers, allowing seamless access.
• Single set of credentials: Users use a single username and password (or other authentication methods) across multiple services.
• Enhanced user experience: Users only need to log in once to access multiple services.

Brilliant! Now let’s look at the new kid on the block, passkeys.

Passkeys

You may not have experienced passkeys yet, though you almost certainly will in the coming year. (You can see a community-maintained list of what companies are supporting passkeys these days here.) So, what makes passkeys so special? Well, from the individual’s perspective, they look like magic because no password is required, ever.

Backing up a bit, though, what are passkeys? Passkeys are a mechanism that allow users to sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, without the need for a password. The technology behind passkeys have been standardized within the FIDO Alliance, a standards organization that’s all about secure authentication mechanisms.

Passkey technology is perfect for several use cases. The commercial web, land of social media giants, is one great opportunity for passkeys. Because a passkey is tied to an individual’s device (like their phone, tablet, or computer, though they can share that passkey between their devices) they are not reliant on an IdP for anything.

Passkey Magic

So many benefits, so little time:

• The SP doesn’t save any private authentication information on their servers; they only save a public key. That means if the SPs servers are compromised, the important technical bits that a hacker would need to then log into other SPs as if they were the individual aren’t available. 
• Phishing attacks, which are even a thing when using MFA, are also thwarted when using passkeys. Google’s article on passkeys explains: “Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification.”
• Passkeys are so very, very easy for individuals to use! No password to remember, and yet under the screen is a more secure environment. (I did say this was like magic!)

Of course, there is no such thing as a perfect solution. If you really want to geek out over the benefits AND risks of passkeys, I highly recommend you watch Dean Saxe’s session from Identiverse 2023, “Thinking Differently About Passkeys – New Threats Require a New Threat Model.” (Recording is here, slides are here, and there is no paywall to jump through. w00t!)

Wrap up

Federated login technology lets users access multiple services with a single set of credentials (using passwords), while users employ passkey technology to securely pair a device to an SP. If you expect your users to be coming from the same personally owned or corporate managed devices, then an environment that just uses passkeys is something you’ll want to explore. If you expect more shared devices (like a user population that connects via a public or university library) then you’ll want to be more on the spectrum of federated logins and using passkeys only for MFA. 

Passkeys and federated authentication serve different—and sometimes complementary!— purposes and often operate in different contexts. Both contribute to enhancing security and user convenience in their respective domains. Your call to action here is to become familiar with when and how they are used, and to work within your organization to figure out what suits your needs. Because remember, friends don’t let friends continue with local usernames and passwords. 

Thank you for reading my post! Please leave a comment if you found it useful. If you’re interested in starting your own blog or improving your writing, check out The Writer’s Comfort Zone.

If you’d like to have me on a podcast or webinar, my media kit is available for your reference.