--- title: Users | Keycard description: Overview of users within the Keycard platform. --- Users are people who access protected [resources](/concepts/resources/index.md), either directly or by delegating access to [applications](/concepts/applications/index.md) and agents that act on their behalf. ## Credentials Users authenticate to a [zone](/concepts/zones/index.md) using credentials, including passwords and passkeys, or through single sign-on (SSO) via their identity provider (IdP). ### Passwords Keycard supports issuing passwords to users. A password is a secret shared between Keycard (where it is stored in secure hashed format) and the user, who is responsible for keeping it secret. Passwords and other zone-specific credentials are applicable when there is not an existing user identity system in place, as well as when supporting users who prefer to create accounts rather than sign in via SSO or social login. Caution While passwords are a familiar method of signing in for many people, they pose inherent security risks. Keycard recommends disabling passwords entirely, or combining passwords with other authentication factors for increased security. ### Federated Keycard supports federated credentials, whereby a user logs in via SSO or social login. In enterprise scenarios, the corporate IdP can be used for employee SSO. Keycard supports Okta, Microsoft Entra, or any provider that implements standard protocols, including OpenID Connect and SAML. In consumer scenarios, people can sign in using their existing accounts at Google, Apple, or a social network. This is often referred to as social login, and uses the same underlying protocols, including OpenID Connect, OAuth, and SAML. ## Identifiers Every user has an identifier, a stable, zone-scoped value that uniquely identifies the user. By default, the identifier is the user’s Keycard ID. Providers can auto-populate identifiers from an ID token claim. See [User Identifier Claim](/concepts/providers/#user-identifier-claim/index.md) for details. Identifiers can also be set or updated in Keycard Console or via the management API. Each identifier must be unique within the zone. ## Registration Keycard supports private and public modes for user registration. ### Private In private mode, users must be explicitly invited via their email address by an adminstrator or have a pre-existing account at a configured IdP. This is necessary for internal or private domains such as a company, organization, or family. ### Public In public mode, users are free to create accounts or sign in using any configured identity provider. This is useful when providing a product or service to the general public.