ForgeRock: Product Evolution and Passkey Capabilities

60-page Enterprise Passkey Whitepaper:
Learn how leaders get +80% passkey adoption. Trusted by Rakuten, Klarna & Oracle

Get free Whitepaper

The Identity and Access Management (IAM) landscape is undergoing a period of intense consolidation and technological disruption. An important event in this transformation was the acquisition of ForgeRock by private equity firm Thoma Bravo for approximately $2.3 billion, a transaction completed on August 23, 2023. Immediately following the acquisition, ForgeRock was merged into Ping Identity, another Thoma Bravo portfolio company, creating a new IAM powerhouse explicitly positioned to challenge market leaders like Okta. This merger promises to leverage the strengths of both platforms, offering customers a more complete identity solution with enhanced services and broader innovation.

Simultaneously, the industry is accelerating its transition away from traditional passwords, a primary vector for cyberattacks. Stolen credentials were implicated in nearly a third of all data breaches over the past decade, and they accounted for half of all breaches reported in 2021. In response, the industry has rallied around a new standard: passkeys. Built upon the FIDO2 and WebAuthn specifications, passkeys offer a phishing-resistant, user-friendly alternative that replaces passwords with cryptographic key pairs tied to a user's device.

This report provides a definitive analysis of ForgeRock at this critical juncture. It first dissects the company's complex history, tracing its evolution from an open-source champion to a core component of the new, unified Ping Identity. Understanding this legacy is essential to grasping the architecture and culture embedded in its products. Second, it conducts an in-depth technical assessment of the ForgeRock platform's capabilities for implementing passkeys, examining not just its offerings but also its documented limitations and the strategic considerations for deployment. The objective is to equip technical practitioners, IAM architects, and security leaders with the nuanced understanding required to navigate the future of this influential platform in a passwordless, passkey-first world.

To comprehend the ForgeRock platform's current state and future trajectory, one must first understand its unique lineage - a journey that began in the open-source community, transitioned to a successful commercial enterprise, and has now entered a new phase of consolidation. This history directly informs the platform's architectural strengths, its market position, and the ecosystem that surrounds it.

ForgeRock's story begins not in a startup incubator but in the aftermath of a major industry acquisition. The company was founded in Norway in February 2010 by a group of former Sun Microsystems employees. The catalyst for its creation was Oracle Corporation's acquisition of Sun Microsystems. Following the takeover, Oracle signaled its intent to phase out Sun's open-source identity and access management software in favor of its own proprietary products.

Faced with the discontinuation of the projects they had helped build and support, the founders established ForgeRock with a clear mission: to fork the original Sun open-source codebases and continue their development independently. This act of preservation rescued several key projects from potential abandonment, including OpenSSO (an access management and single sign-on solution), OpenDS (a directory service), and OpenIDM (an identity management project).

In its early years, ForgeRock was a staunch advocate for open-source software. To avoid trademark conflicts with Oracle, which retained the rights to the original names, the forked projects were rebranded. OpenSSO became OpenAM, OpenDS was renamed OpenDJ, and a new reverse proxy project was introduced as OpenIG. The identity management project was initially known as OpenIDM.

Together, these components formed the foundation of what ForgeRock marketed as the "I³ Open Identity Platform". The vision was to provide a comprehensive, 100% open-source stack for identity-oriented middleware, covering authentication, access management, identity lifecycle management and directory services. This commitment to open standards and a free, downloadable codebase was central to the company's early identity. It fostered a vibrant community of developers and system integrators, leading to significant traction with global enterprises and government organizations that valued the flexibility and transparency of an open-source model. The company actively maintained public repositories on GitHub, encouraging contributions and providing extensive documentation for the community editions of its software.

Around 2016 and 2017, ForgeRock executed a significant strategic pivot that would define its path to commercial success. In a move that was met with controversy in the open-source community, the company effectively closed the source code for its main products. Without a formal public announcement, ForgeRock ceased new development on the permissively licensed community versions, renamed OpenAM to ForgeRock Access Management, and began distributing its software primarily under a paid, commercial license.

This shift was a pragmatic business decision, enabling the company to generate the recurring revenue necessary to fund enterprise-grade research and development, provide 24/7 support, and compete effectively against established commercial IAM vendors. However, the move was seen by some in the community as a departure from its founding principles. This led to the creation of independent, community-driven forks of OpenAM, such as the "Open Identity Platform Community" and "Wren Security's Wren:AM," which aimed to continue the open-source legacy.

Under the new commercial model, the individual products were unified under a single brand: the ForgeRock Identity Platform. This integrated suite, comprising Access Management (AM), Identity Management (IDM), Directory Services (DS), and Identity Gateway (IG), was engineered from the ground up for the high-scale and complex demands of modern digital enterprises, particularly in Customer IAM (CIAM) and the Internet of Things (IoT).

The commercial strategy proved successful, attracting significant investment. Over its lifetime as an independent company, ForgeRock raised a total of $234 million across five funding rounds from prominent investors, including Accel Partners, KKR, and Accenture. This period of growth culminated in a major milestone on September 16, 2021, when ForgeRock went public on the New York Stock Exchange under the ticker symbol "FORG". The company priced its IPO at $25 per share, raising $275 million and achieving a market valuation of nearly $3 billion on its debut.

ForgeRock's time as a public company was relatively brief. On October 11, 2022, the leading software investment firm Thoma Bravo announced a definitive agreement to acquire ForgeRock in an all-cash transaction valued at approximately $2.3 billion. The deal represented a significant premium for shareholders and was unanimously approved by ForgeRock's board.

After receiving shareholder and regulatory approvals, the acquisition was completed on August 23, 2023. In a transformative move for the IAM market, Thoma Bravo immediately announced that ForgeRock would be merged into Ping Identity, another major IAM vendor in its portfolio. The stated goal of this consolidation is to create an identity security powerhouse with the scale and breadth to compete more effectively against market leader Okta, offering customers enhanced products, broader geographic support, and accelerated innovation. The combined entity has assured customers that both the ForgeRock and Ping Identity product portfolios will continue to be developed and supported, with a long-term roadmap focused on unifying the platforms and services. This complex history, from an open-source fork to a key piece in a multi-billion-dollar market consolidation, provides the essential context for evaluating the platform's capabilities today.

The ForgeRock Identity Platform is a comprehensive suite of products designed to manage and secure identities across an entire enterprise ecosystem, from customers and employees to devices and APIs. Understanding the function of each core component and its naming evolution is crucial for any architect or developer working with the platform.

The platform is built on four primary products, each descended from the original open-source projects, complemented by a cloud-native delivery model.

• ForgeRock Access Management (AM): As the centerpiece of the platform, AM provides a full spectrum of access control capabilities. It handles user authentication through a wide range of methods, enables single sign-on (SSO) across applications, and enforces authorization policies. Its Intelligent Authentication engine uses configurable "trees" or "journeys" to create dynamic, context-aware authentication flows. AM is a market leader in federation, with robust support for standards like SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0, making it a central hub for connecting to both modern and legacy applications.

• ForgeRock Identity Management (IDM): This component governs the entire lifecycle of an identity. IDM automates processes such as user provisioning (creating accounts in downstream systems), de-provisioning, synchronization between different identity stores, and reconciliation to ensure data consistency. It features a powerful workflow engine based on the BPMN 2.0 standard, allowing organizations to design complex approval processes and identity-driven business logic.

• ForgeRock Directory Services (DS): A high-performance, internet-scale directory service, DS is built to store and manage massive volumes of identity data for users, devices, and things. It is fully compliant with the LDAPv3 standard but also exposes data through modern REST APIs, providing flexibility for developers. For ensuring high availability and disaster recovery, DS supports multi-master replication, allowing for always-on services.

• ForgeRock Identity Gateway (IG): IG acts as a standalone policy enforcement point, typically deployed as a reverse proxy in front of applications. Its primary function is to protect web applications and APIs that do not natively support modern federation standards like SAML or OIDC. IG can intercept requests, enforce authentication and authorization policies by communicating with AM, and then securely replay credentials to the backend application, effectively enabling SSO for legacy systems.

• ForgeRock Identity Cloud: This is the software-as-a-service (SaaS) version of the platform, offering the core capabilities of AM, IDM, and DS in a managed, multi-tenant cloud environment. Following the merger with Ping Identity, this offering has been renamed to PingOne Advanced Identity Cloud.

Initially, each product had its own versioning scheme. However, ForgeRock later moved to a more unified platform versioning model. For instance, the "ForgeRock Identity Platform 7.4" release includes Access Management 7.4, Identity Management 7.4, and Directory Services 7.4. The Identity Gateway diverged from this, adopting a date-based versioning scheme, such as IG 2023.9, to better align with its release cadence. The platform is complemented by a suite of SDKs for iOS, Android, and JavaScript, which have their own version numbers and are now being integrated into the unified Ping Identity developer ecosystem.

To clarify the product lineage, the following table serves as a "Rosetta Stone," mapping the original project names to their modern commercial and post-merger equivalents. This is an indispensable reference for anyone navigating older documentation, community forums, or configuration files.

The following chart illustrates the journey of the core products from their origins at Sun Microsystems to their current state within the unified Ping Identity portfolio.

graph TD
    subgraph "Sun Microsystems"
        A1["OpenSSO"]
        A2["OpenDS"]
        A3["OpenIDM (Project)"]
    end

    subgraph "ForgeRock (Open Source)"
        B1["OpenAM"]
        B2["OpenDJ"]
        B3["OpenIDM"]
        B4["OpenIG (New)"]
    end

    subgraph "ForgeRock (Commercial)"
        C1["ForgeRock Access Management (AM)"]
        C2["ForgeRock Directory Services (DS)"]
        C3["ForgeRock Identity Management (IDM)"]
        C4["ForgeRock Identity Gateway (IG)"]
        C5["ForgeRock Identity Cloud (New)"]
    end

    subgraph "Ping Identity (Post-Merger)"
        D1["PingAM"]
        D2["PingDS"]
        D3["PingIDM"]
        D4["PingGateway"]
        D5["PingOne Advanced Identity Cloud"]
    end

    A1 --> B1;
    A2 --> B2;
    A3 --> B3;

    B1 --> C1;
    B2 --> C2;
    B3 --> C3;
    B4 --> C4;

    C1 --> D1;
    C2 --> D2;
    C3 --> D3;
    C4 --> D4;
    C5 --> D5;

    style C5 fill:#f9f,stroke:#333,stroke-width:2px
    style B4 fill:#f9f,stroke:#333,stroke-width:2px

As the industry moves to passwordless authentication, the ability of an IAM platform to robustly support passkeys has become a critical measure of its viability. This section provides a technical evaluation of the ForgeRock platform's passkey capabilities, from the underlying standards to the practical implementation of user journeys.

ForgeRock's support for passkeys is not a recent addition but is fundamentally rooted in its early implementation of the underlying industry standards: FIDO2 and Web Authentication (WebAuthn). Passkeys are a consumer-friendly branding and implementation of FIDO2 discoverable credentials, which are designed to be synchronized across a user's devices via a cloud provider like Apple iCloud Keychain or Google Password Manager.

Because the ForgeRock Identity Platform was built to support the core WebAuthn specification, it can handle both device-bound FIDO credentials (where the private key never leaves a single physical device) and synced passkeys without requiring fundamental platform upgrades or architectural changes. The platform's access management component does not inherently differentiate between a device-bound key and a synced passkey during the authentication ceremony. It simply processes the WebAuthn assertion according to the standard. This standards-based approach ensures forward compatibility and broad device support.

The primary mechanism for implementing passkey authentication within ForgeRock Access Management is through its orchestration engine, known as Intelligent Access Trees (or "Journeys" in the cloud offering). These are graphical, no-code/low-code workflows that allow administrators to define authentication and registration logic by connecting various functional nodes.

The practical implementation of passkeys relies on a combination of server-side orchestration nodes and client-side SDKs.

• Authentication Nodes: The core building blocks for any passkey flow are two specific nodes within an Access Management tree:

  • WebAuthn Registration Node: This node initiates the process of registering a new FIDO2 device or passkey for a user. When a user's journey reaches this node, it triggers the browser or operating system to display the native passkey creation prompt (e.g., "Save a passkey for..."), which is then handled by the device's authenticator (e.g., using Face ID, a fingerprint, or a PIN).
  • WebAuthn Authentication Node: This node is used during login to challenge the user to authenticate with a previously registered passkey. It triggers the native OS/browser prompt for passkey selection and verification.

• Configuration: Administrators have granular control over the authentication experience through the properties of these nodes. For example, the user verification requirement property can be set to REQUIRED to enforce a biometric or PIN check, effectively making it a multi-factor authentication step. Setting it to DISCOURAGED might allow a simpler tap-to-authenticate experience, suitable for a second-factor scenario. Similarly, the authenticator attachment property can be configured to prefer CROSS_PLATFORM authenticators (like a YubiKey) or PLATFORM authenticators (like Windows Hello or Touch ID).

• SDKs: For seamless integration into custom web and native mobile applications, developers must use the ForgeRock SDKs (now being unified under the Ping Identity brand) for JavaScript, iOS, and Android. These SDKs act as a bridge, simplifying the interaction between the application, the platform's authentication trees, and the device's native WebAuthn APIs. They manage the complex back-and-forth communication required to initiate and complete the passkey registration and authentication ceremonies.

Using these components, an organization can build complete passwordless user journeys.

• Registration: A typical passkey registration flow begins after a user's identity has been established through another method (e.g., initial login with a password, or verification via an email link). The user is then directed through a journey containing the WebAuthn Registration Node, which prompts them to create and save a passkey. Once registered, users can typically manage their authenticators—for instance, renaming a device from "My Laptop" to "Work MacBook" or removing a lost device—through a self-service portal built into the platform.

• Login: A passkey login flow is initiated by the WebAuthn Authentication Node. A key benefit of discoverable credentials (passkeys) is the ability to enable a "usernameless" login. The user simply clicks "Sign in with a passkey," and the browser presents a list of available passkeys for that site. Upon selection and verification (e.g., with a fingerprint), the authenticator provides the necessary cryptographic proof to the server, which both identifies and authenticates the user in a single step.

• Account Recovery: This is the most critical and challenging aspect of a passkey-centric identity system. The native ForgeRock documentation and self-service features are heavily oriented around traditional recovery methods: "forgotten password" and "forgotten username" flows. These processes typically rely on sending a reset link to a verified email address or asking knowledge-based questions (KBA). This presents a fundamental gap for a true passwordless user. If a user loses all devices on which their passkey is stored (e.g., their phone and laptop are both lost or stolen), they cannot use a password reset flow because no password exists to be reset. The industry best practice, recommended by the FIDO Alliance, is to re-run the initial identity proofing process to re-establish the user's identity before allowing them to register a new passkey. This is not a standard, out-of-the-box journey in the ForgeRock platform. It would require a custom-built recovery tree that integrates with third-party Identity Verification (IDV) services. While the platform provides tools like the Recovery Code Display node, which can offer one path, a comprehensive and secure recovery strategy remains a significant implementation responsibility for the organization.

The platform's approach can be summarized as providing a powerful but low-level "toolkit" for passkeys, rather than a pre-packaged, turnkey "solution." The marketing of "out-of-the-box support" is technically correct at the protocol level, but it obscures the significant implementation complexity required to build a seamless and secure end-to-end user experience. This distinction becomes clear when examining the platform's limitations and the market for third-party solutions that aim to fill these gaps.

While the ForgeRock/Ping platform provides a robust and flexible foundation for passkey implementation, a critical analysis reveals technical limitations, practical gaps, and significant strategic considerations that organizations must address. Acknowledging these challenges is essential for realistic project planning and risk mitigation.

The platform's passkey support, being tied to the WebAuthn standard, inherits both the standard's strengths and its environmental dependencies and limitations.

• Platform and Regional Limitations: A significant constraint exists within the ForgeRock Android SDK, which relies on the Google Fido2Library. This library, in turn, requires Google Play Services to function. This dependency makes it unfeasible to deploy passkey-based Android applications in markets where Google services are blocked or unavailable, such as in mainland China. This is a critical consideration for global organizations.

• Attestation and Client-Side Issues: The platform has known gaps in its ability to enforce the security posture of the client device. For instance, the unified Ping platform does not support Android-key attestation, a mechanism that allows the server to verify the integrity and security properties of the hardware-backed keystore on an Android device. This can be a deal-breaker for high-assurance scenarios where verifying the trustworthiness of the authenticator is paramount. Furthermore, the user experience can be fragile; on Apple devices, simply clearing Safari's browser history and website data can break the FIDO registration, forcing the user to re-enroll their passkey. This non-intuitive behavior can lead to significant user frustration and an increase in help desk calls.

• Proprietary Control vs. Standard Interoperability: The platform's documentation reveals a key architectural trade-off. ForgeRock offers a proprietary mechanism called Device Binding/JWS Verification that provides deeper control than the WebAuthn standard. For example, device binding allows for the signing of custom data (such as transaction details for financial-grade security) and provides APIs for programmatic key deletion, which simplifies device management. By choosing the WebAuthn standard for its broad interoperability and support for passkeys, organizations must forgo this granular control. This decision between open standards and enhanced proprietary features is a common and important architectural choice.

The availability of technical components does not automatically translate to a successful passkey deployment. Industry expert analyses highlight a significant gap between the platform's native passkey capabilities and what is required for a smooth, high-adoption deployment.

• High Complexity and Cost: Some assessments suggest that building a complete passkey solution using the native ForgeRock toolkit is a major undertaking. These projects are estimated to have implementation cycles of 12 to 36 months and require a dedicated engineering team with deep expertise in identity, security, and user experience design.

• Low User Adoption of Generic Flows: Without careful design, the user journeys built with the native tools can be clunky and confusing. This poor user experience (UX) often leads to very low adoption rates (potentially as low as 5-10%). Such low uptake means the organization fails to realize the primary benefits of passkeys, such as reduced help desk costs from password resets and enhanced security from phishing resistance.

• Lack of Actionable Analytics: The native platform provides basic audit and debug logs but lacks the sophisticated, business-oriented analytics required to effectively manage a passkey rollout. It does not offer out-of-the-box tools to track user adoption funnels, measure the ROI of the passkey initiative, or A/B test different user journeys to optimize conversion rates. This makes it difficult for business leaders to justify the investment and for product teams to iterate and improve the experience.

This gap between the native toolkit and a fully realized solution has created an opportunity for specialized third-party vendors. These companies offer solutions that sit on top of the ForgeRock/Ping platform to accelerate deployment and improve outcomes due to higher passkey adoption. The decision an organization faces is therefore not just whether to use the platform for passkeys, but whether to build the solution themselves using the native tools or buy a pre-packaged solution from a vendor like Corbado.

Perhaps the single greatest challenge in moving to a fully passwordless model is account recovery. The traditional "forgot password" flow is a well-understood, albeit insecure, process. Passkeys, being tied to a user's collection of devices, fundamentally break this model. If a user loses access to all devices where their passkey is synced - a scenario known as "all keys lost" - they are effectively locked out of their account.

The ForgeRock platform's default self-service tools are heavily oriented around password management, offering flows for password reset and username retrieval. These are insufficient for a user who has no password to begin with. The FIDO Alliance's official recommendation for this scenario is to have the user re-prove their identity through a high-assurance process, effectively re-running the initial onboarding or identity verification (IDV) step.

This is not a trivial feature to implement. It requires building a custom recovery journey within the platform that integrates with external IDV providers, which might involve document scanning, liveness checks, or other forms of identity proofing. This represents a significant hidden cost and complexity in any passkey project. It is not merely a technical challenge but a major operational and business process that must be designed, funded, and built before an organization can safely and responsibly deploy passkeys at scale. Failure to adequately plan for account recovery can lead to irreversible user lockouts and a catastrophic user experience.

Navigating the future of the unified ForgeRock and Ping Identity platform requires a clear understanding of the company's stated roadmap, a realistic assessment of its priorities, and a set of strategic recommendations for architects planning their own passwordless journeys.

Public statements from the newly combined entity have, understandably, focused on the high-level vision of platform integration rather than granular, feature-level details. The overarching goal is to create a more complete identity solution by leveraging the strengths of both legacy companies.

The key priorities articulated in the public roadmap include:

• Service Consolidation and Cross-Pollination: Making services from one platform available to customers of the other. For example, ForgeRock customers will be able to consume PingOne services like the DaVinci no-code orchestration engine, Protect risk and fraud detection, and Verify identity proofing. Conversely, Ping customers will gain access to ForgeRock's robust identity lifecycle management and cloud-native identity governance capabilities.

• Unified Administration and Experience: A long-term goal is to create a unified cloud administration console for all SaaS solutions, providing a single pane of glass for managing the combined portfolio. Unifying the directory services, mobile apps, and SDKs is also part of this vision to ensure a common experience for both administrators and end-users.

However, there is a notable absence of specific, detailed roadmap commitments for enhancing the native passkey implementation in the available materials. There are no explicit mentions of plans to build out pre-packaged, high-adoption user journeys, advanced passkey analytics, or turnkey account recovery flows. This suggests that engineering resources in the near term are likely focused on the monumental task of integrating the two massive platforms.

The immediate future of the platform will be defined by integration, not by net-new feature development in areas like passkey user experience. Merging two mature, complex IAM platforms is a multi-year engineering effort. The roadmap's focus on service consolidation and unified administration confirms that this internal work is the top priority.

Therefore, organizations planning to use the platform for passkey authentication should not wait for a future release to solve the implementation challenges that exist today. The "toolkit" approach, which provides the foundational nodes and SDKs but leaves the journey construction to the customer, is likely to persist for the medium term. Strategic decisions must be based on the platform's capabilities as they exist now, with the understanding that the most significant evolution will be in how the ForgeRock and Ping components are integrated, not in the creation of simplified, out-of-the-box passkey solutions.

Given this landscape, architects and security leaders should adopt a pragmatic and strategic approach to their passwordless initiatives on the ForgeRock/Ping platform.

• Conduct a Formal "Build vs. Buy" Analysis: Organizations must perform a clear-eyed analysis of their internal capabilities versus their strategic goals. For teams that prioritize speed-to-market and a guaranteed high-quality user experience, and who may lack deep identity engineering resources, procuring a third-party overlay solution that specializes in passkey UX is a viable and potentially more cost-effective strategy. For organizations that require deep customization, have complex integration needs, and possess a mature engineering team, leveraging the native platform's powerful toolkit is the more appropriate path. The comparative table in Section 4.2 provides a framework for this analysis.

• Prioritize Account Recovery as a Prerequisite: A robust, secure, and user-friendly account recovery strategy for passwordless users is not an afterthought; it is a prerequisite for any large-scale deployment. This process must be designed, budgeted, and built from day one. This will likely involve integrating third-party identity verification (IDV) services into a custom-built Access Management journey.

• Monitor the Unified Roadmap for Key Integrations: While the roadmap may not detail specific passkey features, it does promise powerful new integrations. The availability of Ping's DaVinci orchestration engine for ForgeRock customers, for example, could provide a more advanced and visually intuitive tool for building the complex logic required for sophisticated account recovery flows. Architects should stay informed about these developments, as they may offer new and better ways to solve existing challenges.

The story of ForgeRock is one of remarkable evolution - from its origins as a defiant open-source fork to its current position as a cornerstone of a newly formed IAM giant. This rich heritage has produced an immensely powerful and flexible identity platform, capable of handling the most demanding enterprise use cases. Its support for passkeys is built on a solid, standards-compliant foundation, positioning it as a key enabler of the passwordless future.

However, realizing the full potential of this future requires a clear-eyed understanding of the platform's nature. The path to a seamless passkey experience is not a simple configuration change but a significant architectural and development project. The platform provides a world-class toolkit of WebAuthn nodes, orchestration capabilities, and SDKs, but the responsibility for designing, building, and securing the end-to-end user journeys - particularly the formidable challenge of account recovery—rests firmly with the implementing organization.

For architects and developers, the unified ForgeRock and Ping Identity platform offers unparalleled control and flexibility. Yet, this power comes with the responsibility of craftsmanship. The success of any passkey initiative on this platform will depend less on the tools themselves and more on the strategic vision, technical expertise, and user-centric design principles brought to bear by the teams who wield them. The legacy is powerful, the future is promising, but the path forward is one that demands careful planning and deliberate execution.