Can passkeys be used on other domains without an iframe?

Currently, passkeys created for one domain (bound to a specific Relying Party ID) cannot be directly used on another domain without an iframe. This restriction is central to passkeys' strong phishing-resistant security model, as passkeys are strictly associated with their original creation domain.

• Domain binding ensures that passkeys cannot be misused on malicious or unrelated sites, significantly reducing phishing attacks.
• The Relying Party ID (domain) is a fundamental security measure within the WebAuthn standard.

• All major browsers - Chrome, Firefox and Safari - currently enforce strict domain-binding rules.
• Passkeys must be used within their original domain context or explicitly allowed via secure, embedded iframe integrations.

• A new concept called "Related Origins" is emerging, allowing closely related domains (like subdomains or trusted partner domains) to access passkeys without needing an iframe.
• However, as of now, no browsers officially support "Related Origins." There is also no specific timeline set by browser vendors for this capability.

To use passkeys across domains today, developers must embed an iframe originating from the passkey's domain into other domains. This setup maintains security integrity while enabling cross-domain authentication flows.

In summary, passkeys remain strictly bound to their creation domain unless explicitly shared via cross-origin iframe implementations. New concepts like "Related Origins" may ease restrictions, but browser support is currently limited.