What are challenges for passkeys in cross-origin iframes?

What are the main challenges when trying to use passkeys in a cross-origin iframe?#

Implementing passkeys within cross-origin iframes can significantly enhance user experience and security, but there are several common challenges developers frequently encounter:

1. Browser Compatibility#

• Not all browsers uniformly support WebAuthn features in cross-origin iframes. As of now, Chrome and Firefox have implemented both passkey creation and authentication, while Safari supports only authentication.
• This inconsistent support demands thorough cross-browser testing and potentially browser-specific solutions.

2. Permission Policy Configuration#

• Misconfigured HTTP Permissions-Policy headers or missing allow attributes in the iframe can block passkey creation or login functionalities.
• Developers must explicitly enable permissions using:

  <iframe
      src="https://example.com"
      allow="publickey-credentials-get; publickey-credentials-create"
  ></iframe>

Additionally, HTTP headers must align with iframe permissions to ensure correct delegation.

3. Safari-Specific Limitations#

Safari currently doesn't allow passkey creation within cross-origin iframes, returning errors like:

NotAllowedError - The origin of the document is not the same as its ancestors.

There's no immediate workaround; developers must use alternative methods like redirects or pop-up flows for Safari users.

4. Native App WebView Constraints#

Native apps embedding WebViews often face additional restrictions since WebViews typically support only first-party passkeys (same domain as the app).

For third-party scenarios (like payments), developers must switch from embedded WebViews to system WebViews (e.g., ASWebAuthenticationSession on iOS or Custom Tabs on Android), ensuring proper passkey functionality across domains.

By addressing these challenges, developers can successfully implement seamless, secure, and robust passkey integrations within cross-origin iframe contexts.

Read the full blog post#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →