New: Passkey Benchmark 2026 - 8 production KPIs to compare your passkey rolloutcompare your passkey rollout
Read full blogpost

Can passkeys be used on other domains without an iframe?

Learn whether passkeys created for one domain can be used across different domains without an iframe, including current browser policies and limitations.

Vincent Delitz
Vincent Delitz

Created: April 7, 2025

Updated: May 12, 2026

passkeys cross domain usage without iframe

Can passkeys bound to one domain be used on another domain without an iframe, and what’s the current browser stance?#

Currently, passkeys created for one domain (bound to a specific Relying Party ID) cannot be directly used on another domain without an iframe. This restriction is central to passkeys' strong phishing-resistant security model, as passkeys are strictly associated with their original creation domain.

Why Domain Binding Exists:#
  • Domain binding ensures that passkeys cannot be misused on malicious or unrelated sites, significantly reducing phishing attacks.
  • The Relying Party ID (domain) is a fundamental security measure within the WebAuthn standard.

Current Browser Stance:#
  • All major browsers - Chrome, Firefox and Safari - currently enforce strict domain-binding rules.
  • Passkeys must be used within their original domain context or explicitly allowed via secure, embedded iframe integrations.
  • A new concept called "Related Origins" is emerging, allowing closely related domains (like subdomains or trusted partner domains) to access passkeys without needing an iframe.
  • However, as of now, no browsers officially support "Related Origins." There is also no specific timeline set by browser vendors for this capability.
WhitepaperEnterprise Icon

Enterprise Passkey Whitepaper (+70 pages). How leaders get +80% adoption. Trusted by Rakuten, Klarna & Oracle.

Get Whitepaper

Practical Implication:#

To use passkeys across domains today, developers must embed an iframe originating from the passkey's domain into other domains. This setup maintains security integrity while enabling cross-domain authentication flows.

In summary, passkeys remain strictly bound to their creation domain unless explicitly shared via cross-origin iframe implementations. New concepts like "Related Origins" may ease restrictions, but browser support is currently limited.

Read the full article#
Corbado

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert

iframe passkeys webauthn cover

Read the full article

Discover how to create & login with passkeys in cross-origin iframes with our guide. Learn about iframes in WebAuthn, security policies & implementation.

Read the full article

Read by 5,000+ security leaders.

See what's really happening in your passkey rollout.

Explore the Console

Share this article

LinkedInTwitterFacebook

Table of Contents

Related FAQs

Related Terms