---
url: 'https://www.corbado.com/faq/passkeys-cross-domain-usage-without-iframe'
title: 'Can passkeys be used on other domains without an iframe?'
description: 'Learn whether passkeys created for one domain can be used across different domains without an iframe, including current browser policies and limitations.'
lang: 'en'
---

# Can passkeys be used on other domains without an iframe?

## Can passkeys bound to one domain be used on another domain without an iframe, and what’s the current browser stance?

Currently, passkeys created for one domain (bound to a specific
[Relying Party](https://www.corbado.com/glossary/relying-party) ID) **cannot** be directly used on another domain
without an [iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn). This restriction is central to
passkeys' strong [phishing](https://www.corbado.com/glossary/phishing)-resistant security model, as passkeys are
strictly associated with their original creation domain.

### Why Domain Binding Exists:

- Domain binding ensures that passkeys cannot be misused on malicious or unrelated sites,
  significantly reducing [phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed).
- The [Relying Party](https://www.corbado.com/glossary/relying-party) ID (domain) is a fundamental security
  measure within the WebAuthn standard.

### Current Browser Stance:

- All major browsers - **Chrome**, **Firefox** and **Safari** - currently enforce strict
  domain-binding rules.
- Passkeys must be used within their original domain context or explicitly allowed via
  secure, embedded [iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn) integrations.

### Proposed Changes ("Related Origins"):

- A new concept called **"Related Origins"** is emerging, allowing closely related domains
  (like subdomains or trusted partner domains) to access passkeys without needing an
  [iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn).
- However, as of now, no browsers officially support
  "[Related Origins](https://www.corbado.com/blog/webauthn-related-origins-cross-domain-passkeys)." There is also
  no specific timeline set by browser vendors for this capability.

### Practical Implication:

To use passkeys across domains today, developers must embed an iframe originating from the
passkey's domain into other domains. This setup maintains security integrity while
enabling [cross-domain authentication](https://www.corbado.com/faq/benefits-passkeys-in-iframes) flows.

In summary, passkeys remain strictly bound to their creation domain unless explicitly
shared via [cross-origin iframe](https://www.corbado.com/faq/cross-origin-iframe-passkey-challenges)
implementations. New concepts like
"[Related Origins](https://www.corbado.com/blog/webauthn-related-origins-cross-domain-passkeys)" may ease
restrictions, but browser support is currently limited.

## Read the full article