SSO averages 1.3 times faster than passwords, and 5.2 times faster than other passwordless authentication solutions like magic links.
Don't spoil SSO's impressive performance with common mistakes. Clerk handles edge cases gracefully, so you don't have to.
Clerk supports a wide range of SSO providers and is always adding more. If you need a provider that isn't listed, please submit a request here.
If a user signs in with SSO after creating their account a different way, they are automatically linked to the original.
MFA is the best way to prevent account takeovers.
Stop 99.9% of account takeovers in their tracks and provide the level of security your users have come to expect.
A text-based digital handshake, securely verifying identity with a unique, randomly generated code delivered straight to your mobile phone.
Personal digital locksmiths, creating dynamic, time-based one-time passwords (TOTPs) to secure your online access points.
Hardware keys are your personal digital padlocks, physically securing your data by requiring a unique key from a physical device to unlock your accounts.
Your digital lifeline, granting you access to your account when other forms of authentication are unavailable.
Convert your users to your product in seconds.
Eliminate forgotten passwords and credential stuffing attacks by going passwordless.
Virtual passports, allowing you to swiftly navigate through various platforms using a single trusted account.
One-click gateways, offering a seamless and password-free method to authenticate and access your digital domains securely.
Exclusive digital stamps, presenting a one-time-use password for secure access, delivered directly to your inbox.
Your personalized digital keys, sent directly to your mobile device for secure one-time access.
Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.
Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.
Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.
Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.
Clerk uses NIST guidelines to determine the character rules for passwords and contracts with HaveIBeenPwned to review prospective passwords. Additionally, Clerk leverages bcrypt, an industry standard hashing algorithm for storage.
Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.
SOC2 Type II
Clerk’s session architecture is purpose-built to be extremely performant and low-latency across the globe. Avoid the effort and complexity it takes to build session management infrastructure and let us obsess about it instead.
Our team is constantly assessing and protecting against the latest threats so you don’t have to. Never again compromise on critical features like session revocation because they take too long to build – Clerk provides them out of the box.
Most modern applications expect users to have separate accounts for business and personal contexts. Clerk’s session management enables users to sign into many accounts at once, and switch as needed.