Corbado
Last verified 2026-03-20 · Reviewed by guptadeepak
Editorial verdict
Corbado is the deepest passkey-specialist orchestration layer in 2026, focused exclusively on driving passkey adoption on top of any underlying CIAM, with adoption analytics, A/B testing, and recovery-flow tooling that no full-platform vendor ships. For teams running Auth0 / Cognito / Keycloak who want to fix passkey adoption without changing primary CIAM, Corbado is the singular pick alongside Authsignal. Not a full CIAM, pick one of those first if greenfield.
Last verified by @guptadeepak on 2026-03-20.
At a glance
- Best for
- Teams running an existing CIAM that want to drive passkey adoption above the orchestration-light baseline
- Pricing
- tiered-mau
- Free tier
- 10,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- Undisclosed
- Latest round
- Seed · 2024
- Years in business
- 6 yrs
- Profitable
- Not disclosed
Investors
Munich passkey-rollout specialist; subsidiary of PB Holding GmbH with backing from 10x Founders.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Deepest passkey-specific tooling in the market, adoption analytics, A/B testing, browser-and-device coverage data, and recovery-flow design that no other vendor ships.
- Vendor-neutral by design, slots in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom) without replacement.
- Excellent docs and a public passkey adoption knowledge base that the wider industry references.
- EU-headquartered with EU data residency, fits sovereignty-conscious buyer profiles.
Limitations
- Not a full CIAM, does not handle social login, SAML SSO, B2B Organizations, or authorization.
- Adds a vendor and a hop in the auth flow; teams without an existing CIAM should pick a full-platform vendor first.
- Compliance footprint is narrow, SOC 2 Type II yes, ISO 27001 yes, but no HIPAA / FedRAMP / PCI DSS.
- Smaller community than full-platform CIAM; partner integrations are limited.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | No |
|---|---|
| Social login | No |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | No |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | No |
| OIDC SSO | Partial |
| OAuth 2.0 SSO | Partial |
| Enterprise federation | No |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | No |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Partial |
| Fine-grained permissions | No |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | No |
| Multi-tenancy | Partial |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, ios, swift, android, kotlin, go, python, java, dotnet |
| CLI | No |
| Terraform provider | No |
| Local emulator | No |
| Extension model | Webhooks + custom UI components |
| Bot detection | No |
|---|---|
| Breached password detection | No |
| Brute-force protection | Yes |
| Anomaly detection | Partial |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $99/mo |
|---|---|
| 100,000 MAU | $700/mo |
| 500,000 MAU | $2,400/mo |
| 1,000,000 MAU | $4,500/mo |
- Priced per MAU; pairs with any underlying CIAM
- Passkey-specific tooling (analytics, A/B testing, recovery flows) is the core product surface
- Self-hosted deployment is not available, managed only
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Teams running an existing CIAM that want to drive passkey adoption above the orchestration-light baseline
- B2C consumer apps where passkey adoption analytics and A/B testing on enrollment flows justify a specialist
- EU-based products needing GDPR-first design with explicit passkey-orchestration depth
Not for
- Greenfield apps without an existing CIAM, pick a full-platform vendor first
- Workloads requiring HIPAA, PCI DSS, or FedRAMP
- Teams that prefer one vendor for the entire auth stack
FAQ
- How does Corbado differ from Authsignal?
- Both are vendor-neutral orchestration layers that sit in front of an underlying CIAM. Authsignal covers broader risk decisioning and step-up MFA scenarios; Corbado is more narrowly passkey-specialist with deeper passkey-specific tooling, adoption analytics, A/B testing of enrollment flows, browser-and-device coverage data, and recovery flow design. Teams whose binding constraint is passkey adoption specifically tend to pick Corbado; teams whose constraint is broader risk decisioning tend to pick Authsignal.
- Does Corbado replace my CIAM?
- No. Corbado is a layer that handles passkey enrollment, authentication, and recovery flows; the underlying CIAM continues to handle user storage, social login, SAML, and the rest of the auth surface. Most Corbado customers run it in front of Auth0, Cognito, Keycloak, or a custom-built auth system.
- What's special about Corbado's passkey analytics?
- Corbado publishes one of the industry's most-referenced passkey adoption data sets, browser-and-device-level passkey support coverage, adoption rates by industry vertical, and conversion data on enrollment flow variants. Customers get the same analytics for their own deployment, which lets teams A/B test enrollment prompts and measure adoption rather than guess at it.
Sources
- Corbado Pricingaccessed 2026-04-22
- Corbado Documentationaccessed 2026-04-22
- Corbado Passkey Knowledge Baseaccessed 2026-04-22
What Corbado is
Corbado launched in 2020 in Munich with a tightly-scoped thesis: passkey adoption is an orchestration problem, not a protocol-support problem, and most CIAM vendors that shipped WebAuthn did not ship the prompting, A/B testing, recovery-flow design, and adoption analytics that turn passkey support into measurable adoption. The product is a passkey-specialist orchestration layer that sits in front of any underlying CIAM, with the deepest passkey-specific tooling among the vendors in this index.
Where Corbado wins
The passkey-specific depth is the structural edge. Adoption analytics that show which browsers, devices, and demographics enroll passkeys at what rates; A/B testing on enrollment prompts; conditional UI handling that knows whether to surface a passkey or a fallback; recovery flows designed for the case where a user loses every device. No full-platform CIAM ships this depth, Stytch and Hanko come closest, but Corbado's narrow focus produces tooling that the full-platform vendors don't bother to build.
The vendor-neutral design matches Authsignal's strategic stance. Teams running Auth0, Cognito, Keycloak, or a custom-built auth system can layer Corbado in days rather than migrating their primary CIAM. For organizations whose existing CIAM is fine on every axis except passkey adoption, this is the right composition.
The public passkey knowledge base is an underrated trust signal. Corbado publishes detailed cross-vendor adoption data and browser-coverage matrices that the wider industry references, which positions the company as the substantive expert in the niche.
EU-headquartered with EU data residency is a meaningful sovereignty signal for European buyers.
Where Corbado hurts
It is not a CIAM. No user storage flows beyond passkey credentials, no social login orchestration, no SAML SSO, no B2B Organizations model, no authorization layer. Greenfield teams without an existing CIAM should pick a full-platform vendor first.
Adding a vendor and a hop in the auth flow is real architectural cost. Teams without a clear passkey-adoption problem to solve are better off relying on their primary CIAM's built-in passkey support.
Compliance breadth is narrower than enterprise SaaS, SOC 2 Type II yes, ISO 27001 yes, no HIPAA, no FedRAMP, no PCI DSS. For workloads requiring those specifically, Corbado is a layered concern alongside the primary CIAM.
The community is small, partner integrations are limited, and the niche scope means Corbado is not a one-vendor-for-everything answer.
How Corbado compares
The closest direct comparison is Authsignal vs Corbado for the orchestration-layer call. Most teams evaluating Corbado are also evaluating whether to switch full-platform CIAM to one with built-in orchestration, see Auth0 vs Stytch and Auth0 vs Descope for that path. For self-hosted passkey-first OSS, Hanko is the alternative that pairs passkey orchestration with full-platform user management.
Editorial changelog (1 entry)
Full profile review: capability matrix, TCO bands, and editorial verdict re-verified against current public sources.