Authsignal
Last verified 2026-05-08 · Reviewed by guptadeepak
Editorial verdict
Authsignal is the strongest identity orchestration layer in 2026, designed to sit in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom-built) and add the passkey orchestration, adaptive risk decisioning, and step-up MFA logic that most full-platform vendors do badly. For teams with an existing CIAM that want to fix passkey adoption or harden against account takeover without replacing the primary platform, Authsignal is the singular pick. Not a full CIAM, pick one of those first if greenfield.
Last verified by @guptadeepak on 2026-05-08.
At a glance
- Best for
- Teams running Auth0, Cognito, or Keycloak who want passkey orchestration without changing primary CIAM
- Pricing
- tiered-mau
- Free tier
- 5,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $905K
- Latest round
- Seed · $905K · 2022
- Years in business
- 5 yrs
- Round led by
- Blackbird Ventures
- Profitable
- Not disclosed
New Zealand drop-in MFA / step-up auth; $905K seed (2022).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Best-in-class identity orchestration as a layer, sits in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom) without replacing it.
- Rules Engine (JavaScript) for risk decisioning, step-up MFA, and adaptive policies, meaningfully more capable than most full-platform CIAM's adaptive layer.
- Best-in-class passkey orchestration with conditional UI, device-aware prompting, and recovery design as defaults.
- Vendor-neutral design, does not try to replace your CIAM, only enhance it.
Limitations
- Not a full CIAM, does not store user accounts, does not handle social login, does not provide SAML SSO.
- Adds a vendor and a hop in the auth flow; teams without an existing CIAM should pick a full-platform vendor first.
- Compliance footprint is narrower than enterprise SaaS, no FedRAMP, no PCI DSS direct attestation.
- Smaller ecosystem; less Stack Overflow coverage than full-platform CIAM.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | No |
|---|---|
| Social login | No |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | No |
| OIDC SSO | Partial |
| OAuth 2.0 SSO | Partial |
| Enterprise federation | No |
| Passwordless-only flows | Yes |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | No |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Partial |
| Fine-grained permissions | No |
| Self-service registration | No |
|---|---|
| Progressive profiling | No |
| Self-service account | Partial |
| Bulk user import | No |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Partial |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, ios, swift, android, kotlin, python, go, ruby, php, java, dotnet |
| CLI | No |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | Webhooks + custom rule scripts (JavaScript) |
| Bot detection | Yes |
|---|---|
| Breached password detection | No |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Partial |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | Yes |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $99/mo |
|---|---|
| 100,000 MAU | $700/mo |
| 500,000 MAU | $2,500/mo |
| 1,000,000 MAU | $4,800/mo |
- Priced per challenge or per MAU depending on plan
- Custom rule scripts (Rules Engine) included at standard tier
- Pairs with any underlying CIAM, Auth0, Cognito, Keycloak, custom, without replacing it
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Teams running Auth0, Cognito, or Keycloak who want passkey orchestration without changing primary CIAM
- Apps facing serious account-takeover pressure that need adaptive risk and step-up MFA beyond their CIAM's native layer
- B2C apps targeting high passkey adoption on top of an existing auth platform
Not for
- Greenfield apps without an existing CIAM, pick a full-platform vendor first
- Workloads requiring FedRAMP or PCI DSS direct attestation
- Teams that prefer one vendor for the entire auth stack
FAQ
- Does Authsignal replace my CIAM?
- No. Authsignal is an orchestration layer that sits in front of (or alongside) your existing CIAM, Auth0, Cognito, Keycloak, custom-built, anything. It handles passkey enrollment, MFA challenges, step-up flows, and adaptive risk decisioning; the underlying CIAM continues to handle user storage, social login, SAML, and the rest of the auth surface.
- When does Authsignal make sense over Descope's Flows?
- When you already have a CIAM and don't want to replace it. Descope is a full-platform CIAM whose Flows feature is bundled; Authsignal is the orchestration layer alone, designed to enhance an existing platform without forcing migration. Greenfield teams should usually pick Descope (or another full platform with strong orchestration). Teams with installed Auth0 / Cognito / Keycloak should usually pick Authsignal.
- What about Corbado?
- Corbado is the closest competitor, also an orchestration layer, also passkey-specialist. The two differ on scope: Authsignal covers broader risk decisioning and step-up flows; Corbado is more narrowly passkey-orchestration-focused with deeper passkey-specific tooling.
Sources
- Authsignal Pricingaccessed 2026-04-22
- Authsignal Documentationaccessed 2026-04-22
What Authsignal is
Authsignal launched in 2021 in Auckland with a clear scope: be the orchestration layer, not the primary CIAM. The product sits in front of (or alongside) an existing auth platform, Auth0, Cognito, Keycloak, custom, and handles the orchestration that full-platform vendors typically do badly: passkey enrollment with device-aware prompting, MFA challenges, step-up authentication for sensitive actions, and adaptive risk decisioning via a JavaScript Rules Engine. The buyer is a team that has an installed primary CIAM and is hitting limits on passkey adoption, account-takeover defense, or adaptive MFA.
Where Authsignal wins
The vendor-neutral design is the strategic edge. Most CIAM vendors that ship orchestration require you to migrate the entire auth surface to them; Authsignal takes the opposite stance and slots into whatever exists. For a team running Auth0 in production, swapping to Descope for better orchestration is a 60-90-day migration; layering Authsignal in is days.
The passkey orchestration is at the level of Stytch / Descope / Hanko, conditional UI, device-aware prompting, fallback flows, recovery design. Customers consistently see the same 30–50% adoption rates within six months, but on top of their existing CIAM rather than after a migration.
The Rules Engine is meaningfully more capable than most full-platform CIAM's adaptive MFA layer. JavaScript rules that evaluate risk signals (device, geo, velocity, behavior) and decide between allow / step-up / block give teams the kind of adaptive logic that vendors like Auth0 expose only at higher tiers, and often less expressively.
DX is strong. Idiomatic SDKs across major languages, Terraform provider, webhook delivery, and modern docs.
Where Authsignal hurts
It is not a CIAM. No user storage, no social login flows, no SAML SSO, no Organizations model. For greenfield teams without an existing auth platform, picking Authsignal first is the wrong order, pick a full-platform CIAM first and add Authsignal if you need its orchestration depth.
Adding a vendor and a hop in the auth flow is real architectural cost. Teams without a clear orchestration problem to solve are better off relying on their primary CIAM's built-in adaptive layer, even if it is weaker.
Compliance breadth is narrower than enterprise SaaS, SOC 2 Type II yes, ISO 27001 yes, but no FedRAMP, no PCI DSS direct attestation. For federal or fintech workloads requiring these specifically, Authsignal is a layered concern alongside the primary CIAM.
The community and ecosystem are smaller than full-platform vendors.
How Authsignal compares
The closest direct comparison is Authsignal vs Corbado for the passkey-orchestration-layer call. Most teams evaluating Authsignal are also evaluating whether to switch full-platform CIAM to one with built-in orchestration, see Auth0 vs Descope and Stytch vs Descope for that path.
Editorial changelog (1 entry)
Capability matrix and pricing bands re-verified against the vendor's latest documentation and changelog.