Open Source WebAuthn and FIDO2 Authentication: Authgear vs Keycloak vs Hanko for Passkey-First Apps

The future of authentication is passwordless, and the technologies leading the charge are WebAuthn, FIDO2, and the user-friendly abstraction known as passkeys. For developers building modern applications, offering phishing-resistant, biometric-powered login is no longer a luxury—it's a competitive necessity. While SaaS solutions provide a quick entry point, many development teams turn to open-source platforms for greater control, flexibility, and long-term cost predictability.

This developer-focused guide dives into the world of open-source passkey authentication. We'll explore why open-source is a compelling choice, compare the approaches of leading platforms like Authgear and Keycloak, and provide a framework for choosing the right solution for your passkey-first application.

Why Choose Open Source for WebAuthn and Passkeys?

Adopting passkeys involves more than just calling a browser API. It requires a robust backend infrastructure to manage public key credentials, handle complex authentication ceremonies, and integrate with existing user models. While SaaS platforms handle this for you, an open-source solution offers distinct advantages for developers:

• Full Control and Transparency: With open source, you have complete visibility into the code. You can see exactly how cryptographic challenges are generated, how credentials are stored, and how security policies are enforced.
• Ultimate Customization: You are not limited by a vendor's pre-defined workflows. Open-source platforms allow you to deeply customize the user experience, from the registration flow to the UI of the authentication prompts.
• Data Sovereignty: Self-hosting gives you full control over where sensitive public key credential data is stored, a critical requirement for meeting data residency laws like GDPR.
• No Vendor Lock-In: Building on an open-source stack ensures you are not tied to a single company's ecosystem. You are free to modify, extend, or migrate your solution as your needs evolve.
• Predictable, MAU-Free-Pricing: Open-source software eliminates the often-unpredictable costs associated with per-user pricing, making it a cost-effective choice for applications expecting large-scale user growth.

The Core Technology: WebAuthn, FIDO2, and Passkeys

Before comparing platforms, it's essential to understand the key terms:

• FIDO2: A set of standards from the FIDO Alliance that enables passwordless authentication. It's the overall project.
• WebAuthn: The JavaScript API and browser component of FIDO2. It allows web applications to perform public-key-based authentication.
• Passkeys: A consumer-friendly term for a FIDO credential that is discoverable and synchronized across a user's devices (e.g., via iCloud Keychain or Google Password Manager). This multi-device nature is what makes them a viable replacement for passwords.

An open-source identity platform's job is to provide the server-side implementation that handles the WebAuthn ceremonies: registering credentials, issuing challenges, and verifying signatures.

Comparing Open-Source Passkey Platforms: Authgear vs. Keycloak

While many open-source options exist, Authgear and Keycloak are two of the most prominent, each with a different philosophy that appeals to different development teams.

Authgear: The Modern, Developer-First Approach

Authgear is a lightweight, modern open-source identity platform designed for developers who need to move quickly without sacrificing security or flexibility.

• Passkey-Native Design: Authgear treats passkeys as a primary authentication method. Its capabilities include first-class support for passwordless login using WebAuthn.
• Ease of Integration: It is built with a developer-first mindset, offering a streamlined setup. It can be deployed quickly via Docker, making it easy to get a full-featured authentication service running in minutes.
• Flexible Deployment: Authgear supports both self-hosted (on-premise or private cloud) and managed cloud deployment, allowing teams to start with a managed service and migrate to self-hosted as they scale.
• Comprehensive MFA: Beyond passkeys, Authgear includes built-in support for a wide range of MFA factors, including TOTP authenticator apps and OTPs via SMS or WhatsApp, allowing for flexible security policies.

Best for: Developers and teams who prioritize speed of implementation, a modern developer experience, and a flexible platform that supports both simple and complex use cases. Its straightforward architecture is ideal for new projects or for teams wanting to add passkeys to existing apps without the overhead of a heavy enterprise solution.

Keycloak: The Feature-Rich Enterprise Powerhouse

Keycloak is a mature, extremely powerful open-source IAM solution backed by Red Hat. It is a go-to choice for large enterprises that need extensive features and deep integration with legacy systems.

• WebAuthn Support: Keycloak’s WebAuthn support provides a foundation for passwordless authentication.
• Deep Customization: It offers immense flexibility through its Service Provider Interface (SPI), allowing developers with Java expertise to customize almost every aspect of its functionality.
• Enterprise Integrations: Keycloak excels at integrating with existing enterprise environments, with strong support for LDAP, Active Directory, and Kerberos.
• Complex Identity Scenarios: Its concept of "realms" makes it well-suited for complex multi-tenant applications and managing intricate user hierarchies.

Best for: Large organizations with dedicated infrastructure teams and complex enterprise requirements. If you need deep integration with existing Java-based systems or have convoluted identity federation scenarios, Keycloak's power and maturity are hard to beat. However, this power comes at the cost of increased complexity in both setup and maintenance.

What About Hanko?

While not covered in the source documents for this analysis, platforms like Hanko are also notable in the open-source FIDO2 space. They often focus purely on passkey-first authentication, providing a more specialized, lightweight solution compared to full-suite IAM platforms like Authgear or Keycloak. This can be an excellent choice for developers who want to add only passkey functionality to an existing system, rather than adopting a complete identity provider.

Key Considerations for Your Passkey-First App

When choosing an open-source platform for WebAuthn, consider the following:

1. Ease of Setup and Maintenance: How quickly can you get a production-ready system running? What is the operational overhead? (Advantage: Authgear)
2. Developer Experience: Are the APIs and documentation clear and modern? How easy is it to integrate with your application stack? (Advantage: Authgear)
3. Flexibility vs. Complexity: Do you need the immense, fine-grained power of a solution like Keycloak, or does a more streamlined, modern platform meet your needs?
4. Ecosystem and Community: A larger, more active community means more resources, tutorials, and third-party integrations. (Advantage: Keycloak)
5. Beyond Passkeys: Do you need a complete IAM solution that also handles traditional passwords, social logins, MFA, and enterprise federation? (Both Authgear and Keycloak provide this).

Conclusion

The shift to passkey-first authentication is happening now, and open-source platforms offer a powerful path for developers to embrace this future without being tied to a SaaS vendor.

For teams seeking a modern, fast, and flexible solution, Authgear stands out. It provides robust, built-in support for passkeys and WebAuthn within a lightweight, developer-friendly platform that is easy to deploy and manage. It strikes an excellent balance between powerful features and ease of use.

For large enterprises with deep Java expertise and complex legacy integration needs, Keycloak remains a formidable and feature-rich choice.

Ultimately, the right decision depends on your team's resources, your application's architecture, and your long-term goals. By starting with an open-source, standards-based approach, you retain the flexibility to build secure, phishing-resistant authentication that will scale with your user base for years to come.

Explore Authgear on GitHub to get started with open-source passkey authentication today.