Authentication in Openlane
Openlane gives organizations flexible and secure ways to authenticate users, ranging from developer-friendly options to enterprise-grade SSO. This page provides a high-level overview of the methods we support and when to use each.
| Method | Best For | Pros | Considerations |
|---|---|---|---|
| SSO (Single Sign-On) | Organizations needing centralized access control, easy onboarding/offboarding | Centralized identity management Enforce MFA, password policy, conditional access Automatic provisioning/de-provisioning via SCIM (if IdP supports) | Requires admin setup in IdP May require extra configuration for group/role claims |
| Passkeys (WebAuthn) | Security-focused teams wanting strong, phishing-resistant authentication | Phishing-resistant No shared secret to leak Works across browsers and devices | Users must have at least one enrolled device or hardware key Recommended to set up backup passkey Requires manual user management |
| Social Login | Small teams, contractors, open-source contributors | No password to manage Uses trusted provider MFA settings | Limited control over user lifecycle (must remove users manually if they leave your company) |
| Credentials (Password) | Legacy scenarios or fallback when other methods unavailable | Universal and simple | Not recommended (weakest security posture) Encourage MFA or migration to passkeys/SSO |