Passkeys are quickly becoming the new standard for secure, passwordless authentication offering better UX, stronger security and lower costs compared to SMS or authenticator-based MFA. With big tech (Apple, Google and Microsoft) backing the technology, passkey adoption is accelerating across industries.

But implementing passkeys is one thing. Driving actual user adoption - especially in large-scale, enterprise environments - is another.

That’s where solutions like Amazon Cognito and Corbado come in. While both offer passkey capabilities, they’re built for different use cases. In this post, we’ll break down the following questions:

1. What are the key differences between Corbado Passkeys vs Cognito Passkeys?
2. When should you use Corbado Passkeys and when rather use Cognito Passkeys?
3. How can you increase the passkey user adoption if your IdP is Amazon Cognito?

Moreover, we’ll outline how Corbado’s Enterprise Passkey Platform works on top of AWS Cognito.

Passwords are the weakest link in most authentication flows: they’re reused, phished and forgotten. Even traditional MFA (like SMS or authenticator apps) introduces friction and cost, especially at scale when you’re dealing with millions of users).

Passkeys, based on the WebAuthn and FIDO2 standards, solve these issues:

• Phishing-resistant: Passkeys can’t be entered on fake websites.
• Faster logins: No codes, no password reset flows – just use Face ID or Touch ID.
• Lower support costs: Fewer password resets, fewer login issues.
• Better user experience: if implemented right, passkeys increase conversion rates and retention.

But passkeys aren’t just a plug-and-play feature, especially for large user bases. They require thoughtful integration and UX design to truly drive adoption and deliver value.

Amazon Cognito introduced support for passkeys (WebAuthn / FIDO2) in November 2024, allowing developers to add passwordless login via biometric authenticators such as Face ID, Windows Hello or hardware security keys (e.g. YubiKeys).

AWS Cognito handles basic passkey registration and authentication. It’s optimized for usage via Cognito’s Hosted UI / Managed Login. If you don’t use the Hosted UI / Managed Login, there’s significant effort you need to put get passkeys to work via Cognito as your identity provider.

The WebAuthn ceremonies are managed by Cognito internally. Cognito has the following characteristics in regard to WebAuthn server modification:

• The PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions are abstracted away - developers can't customize them.
• Passkeys are linked to a user’s Cognito sub (unique User ID).
• FIDO metadata is stored and managed inside the Cognito user pool - developers don’t interact with raw credentials.

Amazon Cognito PublicKeyCredentialCreationOptions:

{
    "attestation": "none",
    "authenticatorSelection": {
        "residentKey": "required",
        "userVerification": "required"
    },
    "challenge": "_nv4xozlsmeyXlbpDL2rhA",
    "excludeCredentials": [],
    "pubKeyCredParams": [
        {
            "alg": -7,
            "type": "public-key"
        },
        {
            "alg": -257,
            "type": "public-key"
        }
    ],
    "rp": {
        "id": "eu-central-1stube6mkt.auth.eu-central-1.amazoncognito.com",
        "name": "eu-central-1stube6mkt.auth.eu-central-1.amazoncognito.com"
    },
    "user": {
        "displayName": "vincent.delitz@corbado.com",
        "id": "NzM5NGI4YTItMjAwMS03MDdlLTRjNzgtZDZjMzliNjY4NjFl",
        "name": "vincent.delitz@corbado.com"
    }
}

The Relying Party ID here is eu-central-1stube6mkt.auth.eu-central-1.amazoncognito.com but can modified in the Cognito settings. As WebAuthn user.id Cognito does not use the internal Cognito User ID but instead another unique value.

Amazon Cognito PublicKeyCredentialRequestOptions:

{
    "allowCredentials": [
        {
            "id": "KckRxRA_1S7IscxX1qiseHygvKU",
            "transports": ["hybrid", "internal"],
            "type": "public-key"
        },
        {
            "id": "W50i_-WwK8zlovW7r81Pg09FudY",
            "transports": ["internal"],
            "type": "public-key"
        }
    ],
    "challenge": "4II_qZp281jnGVDmwloEPg",
    "rpId": "eu-central-1stube6mkt.auth.eu-central-1.amazoncognito.com",
    "userVerification": "required"
}

Here, you can see that Cognito makes active use of the allowCredentials array to list all the existing passkeys of a user.

From a user perspective, AWS Cognito only offers the separate passkey button approach. This means the user has to deliberately click on the “Continue” button that triggers the passkey login to start. This good for account enumeration protection, however, has a bad user experience as users will keep on using their password as they don’t change existing behavior easily. In contrast, better UX and higher passkey adoption can be achieved with an automatic start of the passkey authentication process after providing the identifier. This would result also in a higher login rate for passkeys.

If you're not using Cognito’s Hosted UI or Managed Login, implementing passkeys becomes significantly more complex. You need to manually handle WebAuthn ceremonies, securely manage credentials, and ensure fallback logic for unsupported devices.

This is especially painful in custom frontend applications, where Cognito’s SDKs don’t offer out-of-the-box passkey orchestration.

Amazon Cognito passkeys are very limited in their supported passkeys / WebAuthn features. At this stage, Cognito offers only to create a passkey and use one to log in. The following things are currently a constraint.

• Limited Visibility & Analytics: No analytics on registration success, drop-off rates or which devices/browsers support WebAuthn.
• No Conditional UI: In the Hosted UI / Managed Login, the browser's passkey autofill (i.e. mediation: "conditional") is not supported, which means no passkey login prompt without a user click.
• No Customization: You can’t really change the passkey UI and messaging. Also, the error handling doesn’t provide real insights for users.
• No Passkey Intelligence: It’s a very simple passkey implementation that doesn’t have any intelligence that one would require to log in hundreds of thousands of users with different devices. It’s clear that passkey adoption was not a target when developing the Cognito passkey offering.

If you're using Cognito for custom frontend passkey login, be prepared for limited flexibility - especially when it comes to fallback handling, registration UX, and analytics.

Cognito’s passkey support is a good choice if:

• You're building a new app and plan to use other authentication methods from Cognito as well.
• You don't need custom UX, branding or progressive enhancement.
• You want to get started quickly and are okay with a manual “Sign in with passkey” button.
• You don’t need a high passkey adoption.

Cognito doesn’t address passkey adoption. Users need to manually register and opt in. There’s no fallback intelligence, no A/B testing and no insight into what works and what doesn't.

Let’s assume for a regular web application the following device share based on observed traffic:

When predicting the passkey adoption with our internal tools, the outcome after 36 months predicts a passkey login rate of 1.4% (no Conditional UI):

If you're managing:

• Large existing user bases
• Custom frontends (React, Angular, etc.)
• Complex login flows (fallbacks, conditional logic)
• High adoption or ROI targets

…Cognito alone likely won’t be enough.

Subscribe to our Passkeys Substack for the latest news.

Subscribe

While Cognito offers basic passkey functionality, Corbado focuses on optimizing passkey adoption, UX and large-scale deployment, especially in environments where custom frontends and millions of existing users are involved.

Corbado is not an Identity Provider (IdP). Instead, it sits on top of your existing authentication system - like Amazon Cognito, Keycloak, Azure AD B2C, Duende IdentityServer or even a custom backend - and provides a passkey orchestration layer designed to drive real-world passkey adoption.

Corbado handles the full passkey lifecycle - registration, authentication, passkey discovery, fallback logic and passkey intelligence - while integrating into a custom frontend via frontend UI components. The backend is connected via SDKs and secure backend-to-backend calls.

Corbado includes the following main features:

• Enterprise Gateway (Enterprise WebAuthn Server): Corbado's enterprise-grade WebAuthn server is optimized for high availability and passkey management while providing connectors to your IdP / CIAM.
• Components & SDKs (Ready-Made UI Kits & Passkey UX): Leverage our ready-to-use frontend components and SDKs to quickly integrate passkey authentication in your CI without reinventing the wheel.
• Analytics & Tracking (Passkey Adoption & Activation Data): Corbado monitors key metrics that determine your passkey deployment's success - incl. adoption, activation & login rates - to help you optimize performance.
• Login Observability (Analyze & Optimize Login Paths): Understand how users log in and where bottlenecks occur. Corbado collects hundreds of signals per login to help you analyze and optimize the user journey.
• Adoption Accelerator (Get 10x Higher Passkey Adoption): True passkey adoption requires users to create and use their passkeys. Corbado is built to maximize both passkey creation and usage.
• Gradual Rollout (Roll out Passkeys the Riskless Way): Corbado enables staged rollouts (e.g. by device type or user cohort), A/B testing, and risk-free deployment - ideal for large user bases.

Cognito implements passkeys. Corbado optimizes them.

This is one of our key learnings from real-world passkey deployments.

Corbado actively drives adoption through:

• One-tap login flows: Automatically invoke passkey login after email input using stored metadata.
• Inline passkey registration: Seamless prompts after login or during onboarding - no detour to account settings.
• Smart fallback logic: If a device doesn’t support passkeys or none is registered, Corbado automatically reverts to password/SMS with clear guidance.
• Analytics & recovery insights: View passkey usage, drop-off points, error reasons, and recovery flows.
• Passkey Intelligence: Leverage millions of collected data points and signals across device, OS, browser, user, passkey and meta data to determine if a passkey can pushed.

Corbado is a fit if you:

• Have a custom frontend and don’t use Cognito’s Hosted UI / Managed Login.
• Manage millions of users and want to avoid user migration but still want to offer passkeys to them in an enterprise-friendly way.
• Need enterprise-grade control over UX, fallback behavior and analytics.
• Want to reduce MFA costs (e.g. SMS OTP) while improving login speed and security.

Using the same passkey adoption tool and operating system share as above, for the same device and application data, we can predict a passkey login rate of 47.5% after 36 months:

Become part of our Passkeys Community for updates & support.

Join

Cognito and Corbado both support passkeys but they solve very different problems. Below is a breakdown of the most important distinctions across architecture, developer control, user experience and enterprise-readiness.

Cognito is a good fit for general-purpose identity provider (IdP), especially fits in small to medium-sized deployments that don’t require integration with existing user bases. Cognito focuses on helping developers authenticate users via passkey login, typically in standalone applications.

Corbado Passkeys are a better fit for custom frontend environments where high passkey adoption is critical. Corbado acts as a frontend-focused passkey layer that integrates seamlessly with existing identity systems like Cognito, in-house solutions or other third-party IdPs. It is optimized for reducing MFA costs and friction by enabling smooth, native passkey login in existing apps without requiring user migration.

➡️ Corbado is not an IdP. It enhances whatever identity provider you already use.

➡️ Corbado gives you control over the entire passkey UX flow - including fallback paths and edge case handling.

➡️ Cognito implements passkeys. Corbado turns them into a user-first login experience that actually gets adopted.

The following screenshot show’s Corbado’s funnel analysis that helps to understand login paths and determine bottlenecks and other observability insights.

➡️ Corbado was built for regulated, high-scale environments like banks or government agencies that have dedicated requirements to the supported device base and rollout.

With Corbado's process search, you can look for specific login events and back trace the user’s and system’s behavior to fix bugs or provide better support.

Why Are Passkeys Important For Enterprises?

Passkeys for Enterprises

Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.

Download free whitepaper

Work email *

Name *

Company *

Job title *

Phone number

Get whitepaper

Implementing passkeys is only half the battle. The bigger challenge is getting users to actually create and use them. Based on Corbado’s real-world deployments - including VicRoads - here are five proven strategies to maximize passkey adoption.

Offering passkey setup in the account settings might tick a feature box, but adoption will be low. Most users never explore settings and those who do won’t understand what a passkey is or why it matters.

✅ Do this instead: Prompt passkey creation right after login or after successful signup, when the user is already authenticated and mentally primed to act.

Use Conditional UI to invoke passkey autofill as soon as the user clicks into the email input. This mirrors what users are used to with password managers - seamless and invisible.

✅ This is supported in most devices and browsers nowadays. Corbado automatically detects support and enables the feature.

Not every device supports passkeys and not every user has created one yet. You need to handle:

• First-time logins from users without a passkey
• Devices which are not passkey-ready or lack certain WebAuthn features
• Users switching between devices or ecosystems

Corbado tracks metadata (device, browser, user agent) and dynamically selects the best method:

• If a passkey exists: prompt with automatic passkey logins.
• If not: fallback to password and conventional MFA via SMS or authenticator apps but offer to create a passkey afterward (if possible).

Copy, placement and timing make a huge difference. “Sign in faster” performs better than “Use your fingerprint to log in simpler” performs better than “Enable passkey login.”

Corbado’s developer console supports:

• A/B testing login prompts
• Tracking login times from passkeys and convetional login methods
• Measuring drop-offs in the passkey funnel

✅ Use real data to iterate, not guesswork.

Without visibility into how users interact with your passkey flow, you can’t improve it. Important metrics to monitor:

• Passkey creation rate
• Login success/failure rates
• Device/browser compatibility
• Top fallback methods

Corbado provides a full analytics dashboard and even user-level traceability via the process search for debugging issues (e.g., failed logins due to outdated browsers).

👉 Pro tip: Treat passkey adoption like a growth funnel - just like signups or conversions. Plan for optimization cycles after your initial rollout.

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

Corbado proved to be a trusted partner. Their hands-on, 24/7 support and on-site assistance enabled a seamless integration into VicRoads' complex systems, offering passkeys to 5 million users.

Enterprises trust Corbado to protect their users and make logins more seamless with passkeys. Get your free passkey consultation now.

Get free consultation

If you're already using AWS Cognito, you might be wondering: Do I really need Corbado on top? Or is Cognito’s built-in passkey support enough?

Here’s how to decide.

Cognito’s native passkey support is a good fit if:

• You use the Cognito Hosted UI / Managed Login and don’t plan to customize it.
• You're building a greenfield app and can design your flows around Cognito’s capabilities.
• Your passkey needs are basic: you just want to offer passkeys as an additional option, not replace SMS or passwords entirely.
• You don’t require passkey tracking, conditional UI, or A/B testing.
• You’re okay with manual user opt-in (click a on a separate “Sign in with passkey” button) and don’t need a high passkey adoption.

Ideal for:
MVPs, internal tools (non-customer facing), B2B startups or dev teams prototyping with AWS Cognito.

Corbado becomes essential when passkeys are not just a feature, but a strategic goal - for security, UX or cost reduction.

Use Corbado if:

• You have a custom frontend (React, Angular, etc.) and need full control over UI and login logic.
• You want to automate passkey login (conditional UI, one-tap login) instead of relying on user clicks.
• You’re aiming for high passkey adoption to reduce SMS costs or improve user retention.
• You operate at enterprise scale - with millions of users and legacy login infrastructure (usually this implies thousands of different device, OS and browser (version) combinations.
• You need analytics, A/B testing and device-level fallback intelligence.

Ideal for:
Enterprise apps, government platforms, high-traffic consumer portals or any business serious about moving toward a passkey-first future.

Corbado doesn’t replace Cognito - it makes it enterprise-passkey ready.

Yes - but it requires manual integration. Corbado makes this easier by handling WebAuthn flows in your custom frontend.

Cognito implements the basics. Corbado drives real adoption with fallback logic, A/B testing and full UX control.

Yes - especially with Corbado, which optimizes passkey adoption to reduce reliance on MFA fallback like SMS.

Passkeys are quickly becoming the new standard of user authentication - but adopting them successfully requires more than just flipping a switch.

While Cognito passkeys offer a solid starting point, they’re limited to basic use cases and Hosted UI / Managed Login flows. For teams that care about adoption, UX optimization, fallback handling and enterprise rollout, Cognito alone won’t be enough.

That’s where Corbado comes in.

By layering Corbado on top of Cognito (or any other IdP), you gain:

• Higher passkey adoption rates - through better UX and smart fallback logic
• Full integration into custom frontends - without vendor lock-in
• Reduced MFA costs - especially for high-volume SMS traffic
• Analytics, A/B testing, and device intelligence - to continuously optimize your login flow

In this blog post, we answered the following questions:

1. What are the key differences between Corbado Passkeys vs Cognito Passkeys?
   Cognito implements basic passkeys. Corbado optimizes adoption, UX and analytics for enterprise-scale use.
2. When should you use Corbado Passkeys and when rather use Cognito Passkeys?
   Use Cognito for basic needs with Hosted UI. choose Corbado if you have a custom frontend, large user base, or care about adoption and fallback flows.
3. How can you increase the passkey user adoption if your IdP is Amazon Cognito?
   Use Corbado to enable inline registration, conditional UI, fallback logic, analytics and progressive rollout.

Whether you're building for millions of users or just starting your passkey journey, Corbado helps you go beyond “implementation” and achieve real outcomes.