I’ve used them both, but not extensively. In my last project, I gave Devise a shot. I ended up using Rails-Warden instead.
Devise is a full authentication framework built on top of Warden. To customize its looks, you use generators, then edit the resulting views. Its routes, and view logic are hard coded. For example, successful login will always take you to /session/new? This was a dealbreaker or me, I wanted my users to end up on “welcome/index”. Devise is not as well documented, or intuitive as authlogic.
Warden is a middleware framework Devise is based upon. It has plugins for many web authentication schemes (fb, openid, oauth), and it is easy to build a plugin for your own authentication back end. It comes with no UI, and docs are not as good as authlogic.
I ended up using rails-warden because I needed to plugin multiple custom authentication schemes.
Also, see OmniAuth answer below, that’s what I am using in 2012.