1pass vs Other IdPs
No single IdP is the right answer in every situation. This document is an honest comparison of 1pass (logi) against the major IdPs — where it's strong and where it's weak.
30-second summary
- Mobile-first + Korea B2B + the AI-agent era → 1pass
- Enterprise SSO (SAML/SCIM/AD sync) → Auth0 / WorkOS / Keycloak
- A fast MVP on top of PostgreSQL → Supabase Auth
- Full self-host + unlimited customization → Keycloak
Feature matrix
| Feature | Auth0 | Clerk | Supabase Auth | Keycloak (OSS) | WorkOS | 1pass / logi |
|---|---|---|---|---|---|---|
| OAuth 2.0 / OIDC | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| PKCE / Refresh Rotation | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Passkey / WebAuthn | ✅ | ✅ | partial | partial | ✅ | ✅ |
| TOTP 2FA | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| App Attest / Play Integrity | △ | △ | ❌ | ❌ | ❌ | ✅ |
| Native iOS/Android authenticator app | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| App Clip / instant-install flow | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Widget SDK (iframe embed) | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
| QR push-approval login | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Device Flow (RFC 8628) | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| MCP server (AI agent OAuth) | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Developer CLI | ✅ (mgmt) | ❌ | ✅ | ✅ (kcadm) | ✅ | ✅ |
| Webhooks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Suspicious login / Risk Detection | ✅ | partial | ❌ | partial | ✅ | ✅ |
| Audit Log (tamper-evident) [^audit] | ✅ | ✅ | partial | ✅ | ✅ | ✅ |
| Korean docs / support | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| KakaoTalk/Naver in-app compatibility | △ | ❌ | ❌ | ❌ | ❌ | ✅ |
Pricing, enterprise directory (SAML / SCIM / AD), and compliance (SOC 2 / ISO 27001) are excluded from this comparison because they aren't settled on the 1pass side yet. The future plan is tracked on our internal roadmap — for details, reach us at support@1pass.dev.
[^audit]: logi's audit log is a tamper-evident hash chain (SHA256, linking prev/current). DB-side WORM (Write Once Read Many) enforcement (an INSERT-only trigger / append-only storage) is not applied, so strict compliance (e.g. SEC 17a-4) requires a separate export plus external immutable storage. The implementation lives in the server's audit_logger.rb, where the verify_chain! method verifies integrity.
Strength axes (where 1pass excels)
1. App-native trust tokens
1pass ties App Attest (iOS) + Play Integrity (Android) directly into the OAuth flow — "a step above WebAuthn: verifying the device itself." On other IdPs this is an SDK-side option, or it's split off into a separate API. With 1pass, the device-attestation result is included in the /oauth/token response itself.
2. An IdP for the AI-agent era
@logi/mcp — the IdP itself provides an MCP server that lets AI agents like Claude, ChatGPT, and Cursor act safely on a user's behalf. The user connects an MCP client to their own 1pass account, and the agent acts with a user-scoped Personal API Key. As of 2026, there are almost no solutions in this space.
3. Mobile-first OAuth UX
- Automatic Universal Link routing (the RP doesn't need to write extra code)
- App Clip — even users without the app installed finish their first login within 30 seconds
- QR push approval — one-tap approval from a desktop RP via a notification to the mobile 1pass app
- A Device Flow fallback that doesn't break inside in-app browsers (KakaoTalk/Naver apps)
"Sign in with Apple-grade UX, from any RP" — without being locked into the Apple ecosystem.
4. A full-stack Korea B2B fit
- Korean docs / a Korean console / Korean user-facing messages
- Patterns compatible with KISA guidelines (separate storage of personal data, a tamper-evident hash-chain audit log)
- Compatible with Toss / Naver patterns (Device Flow, payment-modal friendly)
- A consent screen the average Korean user can understand ("what information do we receive," in plain language)
Weaknesses / where competitors are stronger
Honestly — for the following scenarios, we recommend another IdP:
Enterprise SSO is mandatory
If SAML 2.0 / SCIM provisioning / Active Directory sync / Okta directory federation is mandatory → Auth0 / WorkOS / Keycloak. 1pass currently officially supports only OAuth 2.0 + OIDC + Passkey.
SOC 2 Type II / ISO 27001 certification is a contract condition
For large enterprise procurement → Auth0 / WorkOS. 1pass has not started the certification process yet.
You're already building full-stack on Supabase
If you want to bundle DB + Auth + Storage under a single vendor → Supabase Auth. 1pass is an IdP-only, decoupled model.
1M MAU + free SAML
If your startup desperately needs free SAML → WorkOS (1M MAU free + free SAML). The 1pass pricing structure will be published on a separate page.
Recommendations by scenario
| Your situation | Recommendation |
|---|---|
| Korea B2B SaaS, with a mobile app | 1pass (leverages strengths 1, 3, and 4) |
| Need AI agent / MCP integration | 1pass (currently the only official option) |
| Global enterprise SaaS, SAML required | Auth0 or WorkOS |
| Supabase full-stack MVP, mobile undecided | Supabase Auth |
| Full self-host, unlimited customization | Keycloak |
| Hit mobile-UX limits with Clerk | 1pass (a P1 comparison page is planned) |
Individual comparison pages (planned)
- 1pass vs Clerk — the closest competitor (P1)
- 1pass vs Supabase Auth — migration guide (P2)
- 1pass vs Auth0 — pricing comparison for Korean startups (P3)
An honest fact-check request
This document is based on public materials as of 2026-05 plus 1pass's own code. If you spot a competitor change or an error, let us know at support@1pass.dev.