Get your free and exclusive +30-page Authentication Analytics Whitepaper
Read the full blog post

Can passkeys be used on other domains without an iframe?

Learn whether passkeys created for one domain can be used across different domains without an iframe, including current browser policies and limitations.

Vincent Delitz
Vincent Delitz

Created: April 7, 2025

Updated: May 12, 2026

passkeys cross domain usage without iframe

Can passkeys bound to one domain be used on another domain without an iframe, and what’s the current browser stance?#

Currently, passkeys created for one domain (bound to a specific Relying Party ID) cannot be directly used on another domain without an iframe. This restriction is central to passkeys' strong phishing-resistant security model, as passkeys are strictly associated with their original creation domain.

Why Domain Binding Exists:#
  • Domain binding ensures that passkeys cannot be misused on malicious or unrelated sites, significantly reducing phishing attacks.
  • The Relying Party ID (domain) is a fundamental security measure within the WebAuthn standard.

Current Browser Stance:#
  • All major browsers - Chrome, Firefox and Safari - currently enforce strict domain-binding rules.
  • Passkeys must be used within their original domain context or explicitly allowed via secure, embedded iframe integrations.
  • A new concept called "Related Origins" is emerging, allowing closely related domains (like subdomains or trusted partner domains) to access passkeys without needing an iframe.
  • However, as of now, no browsers officially support "Related Origins." There is also no specific timeline set by browser vendors for this capability.
WhitepaperEnterprise Icon

Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.

Get Whitepaper

Practical Implication:#

To use passkeys across domains today, developers must embed an iframe originating from the passkey's domain into other domains. This setup maintains security integrity while enabling cross-domain authentication flows.

In summary, passkeys remain strictly bound to their creation domain unless explicitly shared via cross-origin iframe implementations. New concepts like "Related Origins" may ease restrictions, but browser support is currently limited.

Read the full article#
Corbado

About Corbado

Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert

Passkeys & iframes: How to Create & Login with a Passkey?

Read the full article

Discover how to create & login with passkeys in cross-origin iframes with our guide. Learn about iframes in WebAuthn, security policies & implementation.

Read the full article

Read by 5,000+ security leaders.

See what's really happening in your passkey rollout.

Explore the Console

Share this article

LinkedInTwitterFacebook

Table of Contents

Related FAQs

Related Terms