Why do payment providers prefer redirects over embeddings?

Why do some payment providers prefer a redirect flow over embedding passkey authentication directly in the checkout page?#

Some payment providers prefer redirect-based passkeys instead of embedding passkey authentication directly into the merchant’s checkout page due to critical advantages related to browser compatibility, security, and ease of implementation:

Reasons for Preferring Redirect-Based Passkeys#

Browser Compatibility and Reliability#

Redirect flows operate fully in the payment provider's domain, bypassing cross-origin restrictions. Unlike embedded iframe methods, redirects guarantee consistent support across all major browsers—including Safari, which currently restricts passkey creation in cross-origin contexts.

Simplified Technical Implementation#

Redirect-based passkey implementations eliminate complex permission configurations and reduce the likelihood of encountering compatibility issues or browser-specific bugs, significantly decreasing development overhead.

Enhanced Security and Compliance#

Operating entirely within the payment provider’s secure domain environment simplifies adherence to security standards such as PCI DSS and PSD2 SCA, ensuring better protection against potential cross-origin vulnerabilities.

Impact on User Experience:#

While redirect flows may slightly disrupt the seamless user experience by temporarily taking users away from the merchant's site, careful UX design (such as clearly communicating the redirect process and swiftly returning users after authentication) can minimize friction.

Best Practices for Implementing Redirect-Based Passkeys#

• Clearly communicate to users that they'll briefly visit the provider's domain for secure authentication.
• Ensure rapid redirects back to the merchant’s page after authentication.
• Optimize UX elements to closely resemble a native, frictionless authentication experience.

By employing redirect-based passkeys, payment providers achieve broader compatibility, enhanced security, and simplified integration, making it an attractive option despite potential minor UX trade-offs.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →