Can I create passkeys in cross-origin iframes?

Yes, creating passkeys within cross-origin iframes is currently possible, but it depends on browser support and specific technical requirements:

• Chrome: Fully supports passkey creation within cross-origin iframes from version 123 onwards, aligning with WebAuthn Level 3.
• Firefox: Fully supports passkey creation within cross-origin iframes, following the WebAuthn Level 3 standard.
• Safari: Does not (yet) support passkey creation in cross-origin iframes. Safari currently supports only passkey authentication (login) within iframes, not registration.

To successfully implement passkey creation in cross-origin iframes, you must:

• Set proper HTTP Permissions-Policy headers:

  Permissions-Policy: publickey-credentials-get=(*), publickey-credentials-create=(*)

• Include the correct allow attribute on your iframe element:

<CustomBanner type="Enterprise" />

* Ensure transient user activation (user gesture like clicks) to initiate the passkey creation.

## Future Browser Outlook

It's not yet clear if Safari and other browsers will eventually support passkey creation in cross-origin contexts in the future.

For production environments, always verify browser compatibility and provide fallback flows for unsupported scenarios, especially for Safari users