As of now, browser support for creating passkeys within third-party (cross-origin) iframes is evolving rapidly, particularly influenced by the WebAuthn Level 3 specification. Here's the current state of support:
Safari: Currently does not support creating passkeys within third-party iframes. Safari allows only authentication (login) via passkeys in cross-origin iframes, but not registration or creation. This limitation is part of Safari's broader restrictions related to cross-origin security. In a payment context, one of the reason for this limitation is that Apple wants to protect its Apple Pay experience and make it stand out against other providers.
Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.
For the most accurate and up-to-date compatibility, always check official browser documentation and release notes.
Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

Discover how to create & login with passkeys in cross-origin iframes with our guide. Learn about iframes in WebAuthn, security policies & implementation.
Read the full articleRead by 5,000+ security leaders.
Table of Contents