What is FedCM? A guide to Federated Credential Management
Learn how Federated Credential Management (FedCM) solves the privacy risks of social logins in a cookieless world, offering secure, seamless user authentication.
What is FedCM? A Guide to Federated Credential Management
The Unseen Risk in Your Login Button
For years, the "Sign in with Google" or "Log in with Facebook" button symbolized digital convenience. For businesses, it promised lower friction for user acquisition; for users, it meant one less password to remember. However, the technological foundation that made this convenience possible is evolving. The widespread shift away from third-party cookies, driven by a global demand for greater user privacy, isn't just an advertising problem. It's creating new challenges for federated identity systems that impact the core functionality of websites worldwide. That simple login button now represents a potential point of failure.
This shift requires more than a technical patch; it demands a new strategic approach to user identity. This guide provides a clear, business-focused overview of the challenge, introduces the solution in the form of Federated Credential Management (FedCM), and outlines a strategic path forward using modern, API-first identity solutions.
The Shifting Landscape of Digital Identity
The move away from third-party cookies is the culmination of years of growing public unease and regulatory action surrounding digital privacy. This isn't a niche concern; it's a powerful market force. While 62% of Americans believe it's impossible to go through daily life without companies collecting data about them, that resignation doesn't equal consent. A staggering 81% of users say the potential risks they face from data collection outweigh the benefits (Pew Research Center), and 63% believe most companies aren’t transparent about how their data is used (Tableau). Google's decision to phase out third-party cookies in its Chrome browser, which commands nearly two-thirds of the global market, is the tipping point that transforms this issue from a future consideration into an urgent business reality.
While headlines have focused on the disruption to digital advertising, a more fundamental business process is being impacted: federated user authentication. Traditional federated identity systems—the technology behind social logins—have historically relied on browser mechanisms, like third-party cookies, that also enabled cross-site tracking. When a user clicks "Sign in with Google" on your-business.com, the flow relies on a connection to a separate domain, like accounts.google.com. This cross-domain communication has historically depended on third-party cookies to recognize the user and maintain a seamless experience.
As browsers restrict third-party cookies, these legacy authentication flows can break. The user's browser can no longer connect their identity across different websites, leading to failed logins, interrupted user journeys, and customer frustration. It's important to distinguish this from first-party cookies, which are set by the website a user visits directly. These remain a secure and essential tool for managing user sessions and preferences within a single domain. The challenge lies specifically with federated identity flows that operate across different domains. This technical evolution requires a strategic response. Businesses must now consider how to adapt their federated identity approach for this new privacy-centric environment. Adopting a modern solution isn't merely a technical upgrade; it's a public declaration of alignment with contemporary user expectations, which can serve as a significant competitive differentiator.
The User Experience Debt of "Sign in with..." and the NASCAR Problem
While convenient, traditional social logins have faced challenges. The technical mechanisms they relied upon—namely <iframe>s, navigational redirects, and third-party cookies—are the same tools that have come under scrutiny for their role in cross-site tracking. This overlap created privacy concerns at the heart of the login process.
This flawed foundation gave rise to a widely recognized user interface anti-pattern known as the "NASCAR Problem". Coined by designer Daniel Burka, the term describes a cluttered, visually noisy login page plastered with a jumble of branded buttons for various identity providers (IdPs). Like a race car covered in sponsorship decals, these login pages present an overwhelming array of choices that vie for the user's attention.
This isn't a mere aesthetic complaint; it's a direct impediment to conversion. The well-documented "paradox of choice" principle suggests that an excess of options can lead to confusion, decision paralysis, and ultimately, user abandonment. In an attempt to offer comprehensive login options, businesses were inadvertently damaging their own sign-up funnels. Furthermore, these legacy flows created security vulnerabilities by training users to enter highly sensitive credentials into pop-up windows or redirected pages, making them more susceptible to sophisticated phishing attacks.
The NASCAR Problem is the visible symptom of a decentralized and broken trust model. Each logo represents a separate, siloed transaction that the website must manage. The solution requires a fundamental shift in how this interaction is handled. By moving the point of interaction from the website to the browser itself, a new model emerges—one that centralizes the trust exchange in a neutral, user-controlled, and standardized environment.
FedCM: The Browser as a Trusted Mediator for Identity
FedCM is the purpose-built solution to this challenge. Developed as a new web standard by the World Wide Web Consortium (W3C) and major browser vendors, FedCM is designed from the ground up to enable federated identity in a privacy-preserving way. Its core innovation is to position the web browser as a trusted intermediary—a "mediator" that handles the sensitive identity transaction on the user's behalf without revealing unnecessary information to any party.
FedCM separates the act of authentication from the possibility of tracking. For business and application owners, this translates into several key benefits:
- Improved user experience: It introduces a simplified, one-tap login process through a native browser user interface. This eliminates confusing page redirects and pop-ups, directly solving the NASCAR Problem by presenting a single, clean prompt.
- Enhanced privacy and trust: The entire flow is designed to work without third-party cookies. The browser only contacts the user's chosen identity provider after the user gives explicit consent in the prompt. This addresses the privacy concerns associated with passive, cross-site data leakage in older federated systems and builds significant user trust.
- Increased security: By using a standardized, browser-controlled UI, FedCM dramatically reduces the surface area for phishing attacks. Users learn to interact with a familiar, trusted interface every time they sign in, regardless of the website.
The standard isn't a theoretical proposal; it's being actively developed and adopted by major identity providers like Google and implemented by large-scale platforms like Shopify, signaling its long-term viability and importance in the new web ecosystem. This represents a strategic "re-bundling" of identity at the browser level. Where identity was once unbundled, with every website cobbling together different IdP software development kits (SDKs), FedCM bundles the interaction layer back into the browser. This creates a more efficient and secure market for identity services, where providers compete on the quality of their service, not the design of their login button. For a business, this shift is a massive strategic advantage, as it dramatically lowers technical debt and increases agility by standardizing the integration point.
A Look Under the Hood: The FedCM Handshake
While the underlying technology is sophisticated, the FedCM authentication flow is conceptually straightforward. It's a carefully choreographed handshake mediated by the browser, designed for security and simplicity.
The process unfolds in five key steps:
- The request: A user arrives on a website (the Relying Party, or RP) and initiates a login. The website's frontend calls the FedCM API, typically via a script that first fetches necessary configuration details, like a list of supported IdPs, from its identity platform (e.g., Ory).
- The mediator steps in: The user's browser intercepts this API call. It checks if the user is already logged into a supported IdP (like Google). If so, the browser itself displays a native, non-intrusive prompt, such as: "Sign in to [Website Name] with your [Google] account?".
- User consent: The user clicks "Continue" within this trusted browser prompt. This explicit action constitutes the required user gesture, granting permission for the identity exchange to proceed.
- The assertion: With consent granted, the browser facilitates a secure, behind-the-scenes exchange. The IdP issues a temporary, single-use "identity assertion" (an ID token) and passes it back to the browser, which then delivers it to the website.
- Authentication: The website's frontend takes this token and sends it to its backend identity service (like Ory Kratos). The backend securely validates the token with the IdP, creates a user session, and completes the login process.
This entire sequence is designed to function without third-party cookies, jarring page reloads, or the need for the website to manage complex pop-ups or <iframe>s. The following table illustrates the strategic evolution this represents.
The Evolution of Federated Login: From Tracking-by-Default to Privacy-by-Design
| Feature | Traditional Federated Flow | FedCM Flow (The New Standard) | Business Implication |
|---|---|---|---|
| Key mechanism | Relies on <iframe>, redirects, and pop-ups | Uses a browser-mediated API call (navigator.credentials.get()) | Reduced technical complexity and fewer points of failure. |
| Privacy model | Often relied on third-party cookies, which could enable passive cross-site tracking | No third-party cookies; explicit user consent required before IdP is contacted | Higher user trust and alignment with evolving privacy standards. |
| User experience | Potentially jarring redirects; "NASCAR Problem" with multiple buttons | Seamless, one-tap, native browser UI that is consistent across sites | Lower friction, reduced user confusion, and increased sign-up conversion rates. |
| Security posture | Higher risk of phishing due to inconsistent, site-controlled UI elements | Lower risk due to a standardized, trusted prompt controlled by the browser | Enhanced protection for users and reduced brand risk from security incidents. |
From Standard to Strategy: Activating FedCM with Ory
Understanding the FedCM standard is one thing; implementing it in a scalable, secure, and maintainable way is another. This is where an enterprise-grade identity platform like Ory becomes a strategic enabler. Ory provides a complete identity and access control ecosystem, with Ory Kratos serving as the identity management backend and the Ory Network offering it as a fully managed service. This is critical because FedCM manages the browser-side interaction, but a business still needs a robust backend to handle user profiles, sessions, permissions, and other identity-related logic.
Ory abstracts away the low-level complexities of FedCM, transforming what could be a daunting engineering challenge into a series of straightforward configuration steps:
- Configure the SSO provider: Within the Ory Console, an administrator navigates to the "Social Sign-In" section. To enable FedCM for a supported provider like Google, they simply provide the
FedCM Config URLsupplied by the IdP. This is a configuration setting, not a code change. - Set up a custom domain: To ensure secure communication between the website's script and the Ory APIs, a custom domain is configured for the Ory Network. This is also managed within the console and includes enabling Cross-Origin Resource Sharing (CORS) for the website's domains. This step enhances both security and brand consistency.
- Embed the FedCM script: A small, standardized JavaScript snippet provided by Ory is placed on the website. This script is responsible for making the API calls that trigger the FedCM flow.
Behind the scenes, the Ory Network handles the heavy lifting: generating the correct parameters for the FedCM call, including security measures like CSRF tokens to prevent attacks, and then receiving and validating the identity assertion from the browser to issue a secure user session.
The value here extends far beyond initial implementation. FedCM isn't a static standard; it's actively evolving within the W3C's Federated Identity Working Group, with new capabilities like multi-IdP support and enhanced APIs under development. A business that builds a custom FedCM solution today is committing to a hidden, ongoing operational cost: dedicating engineering resources to perpetually monitor, test, and update their code as the standard and browser behaviors change.
By contrast, using a platform like Ory offloads this significant maintenance burden. It effectively outsources the R&D required to stay current with the identity landscape. This transforms a volatile and unpredictable technical challenge into a stable and predictable operational expense—a powerful value proposition for any technology or finance leader.
The ROI of Modern Identity: A Compelling Business Case
Investing in a modern identity platform to adopt FedCM isn't a cost center; it's a driver of tangible business value and return on investment. The business case rests on four key pillars:
- Increased conversion and revenue: By replacing a high-friction, multi-step login process with a seamless one-tap flow, FedCM can directly increase sign-up and sign-in conversion rates. For any e-commerce, SaaS, or media business, higher conversion translates directly to top-line revenue growth.
- Strategic de-risking and future-proofing: Relying on federated identity flows that depend on third-party cookies presents a growing business risk. Adopting a modern alternative like FedCM through a platform like Ory not only addresses the immediate challenge of third-party cookie restrictions but also future-proofs the application against the next wave of privacy-centric web standards.
- Enhanced brand value and user trust: In an era defined by data breaches and privacy scandals, a demonstrable commitment to user privacy is a powerful brand asset. According to Cisco, 81% of users believe the way a company treats their personal data is indicative of the way it views them as a customer. This sentiment directly impacts the bottom line, as 75% of consumers will not purchase from organizations they don’t trust with their data (Cisco). Furthermore, 37% of users have already terminated relationships with companies over their data practices, a figure that is on the rise (Cisco). Adopting FedCM is a tangible signal to users that their data and security are respected, which can foster loyalty and prevent customer churn.
- Improved operational efficiency and developer velocity: The experience of media giant Axel Springer provides a compelling real-world example of this principle. Before modernizing its identity infrastructure, the company's legacy system was brittle, struggled to scale during high-traffic news events, and was slow and difficult to update—a classic case of high technical debt hampering business agility. By migrating to the Ory Network, Axel Springer offloaded the responsibility for identity infrastructure and security. This freed their internal development teams to focus on core business innovation and ship new features, like improved social logins, more efficiently. While this migration set the stage for FedCM, the core lesson is clear: partnering with an identity expert like Ory unlocks internal resources. The investment wasn't just to fix a broken login system; it was an investment in architectural modernization that creates organizational agility. This agility pays dividends in the form of faster time-to-market for all future product developments, a strategic benefit that resonates at the C-level.
Your Next Move in the New Era of Identity
The fundamental architecture of the web is evolving. Old methods for managing federated user identity, which often relied on mechanisms like third-party cookies, are becoming less viable as browsers prioritize user privacy. FedCM has emerged as the new, privacy-first standard, offering a more secure, trustworthy, and seamless experience for users.
Navigating this transition alone is a risky and resource-intensive proposition. Attempting to build and maintain a compliant identity system in-house diverts valuable engineering talent from core product innovation. Modern identity platforms like Ory provide a strategic, future-proof path to not only adopt the new standard but to leverage it as a competitive advantage.
Business and technology leaders must stop viewing identity as a solved commodity. It's time to re-evaluate current identity strategies in light of these profound technological shifts. It's time to ask: Is our federated sign-in flow prepared for a world with restricted third-party cookies? Does it suffer from the NASCAR problem, frustrating users and hurting conversion? By exploring how a modern identity platform can accelerate business goals, leaders can transform a strategic risk into a user-centric opportunity.
For additional details on implementing FedCM with Ory, see our documentation: https://www.ory.sh/docs/kratos/social-signin/fedcm
Learn more about FedCM, including a video and a mock FedCM utility you can test out the standard: https://www.ory.sh/fedcm
Further reading
The future of Identity: How Ory and Cockroach Labs are building infrastructure for agentic AI
Ory and Cockroach Labs announce partnership to deliver the distributed identity and access management infrastructure required for modern identity needs and securing AI agents at global scale.
Ory + MCP: How to secure your MCP servers with OAuth2.1
Learn how to implement secure MCP servers with Ory and OAuth 2.1 in this step-by-step guide. Protect your AI agents against unauthorized access while enabling standardized interactions.