Why do payment providers prefer redirects over embeddings?

Some payment providers prefer redirect-based passkeys instead of embedding passkey authentication directly into the merchant’s checkout page due to critical advantages related to browser compatibility, security, and ease of implementation:

Redirect flows operate fully in the payment provider's domain, bypassing cross-origin restrictions. Unlike embedded iframe methods, redirects guarantee consistent support across all major browsers—including Safari, which currently restricts passkey creation in cross-origin contexts.

Redirect-based passkey implementations eliminate complex permission configurations and reduce the likelihood of encountering compatibility issues or browser-specific bugs, significantly decreasing development overhead.

Operating entirely within the payment provider’s secure domain environment simplifies adherence to security standards such as PCI DSS and PSD2 SCA, ensuring better protection against potential cross-origin vulnerabilities.

While redirect flows may slightly disrupt the seamless user experience by temporarily taking users away from the merchant's site, careful UX design (such as clearly communicating the redirect process and swiftly returning users after authentication) can minimize friction.

• Clearly communicate to users that they'll briefly visit the provider's domain for secure authentication.
• Ensure rapid redirects back to the merchant’s page after authentication.
• Optimize UX elements to closely resemble a native, frictionless authentication experience.

By employing redirect-based passkeys, payment providers achieve broader compatibility, enhanced security, and simplified integration, making it an attractive option despite potential minor UX trade-offs.