DEV Community

Cover image for WebAuthn ROR for cross-domain passkeys
Corbado profile image vdelitz
vdelitz for Corbado

Posted on • Originally published at corbado.com

WebAuthn ROR for cross-domain passkeys

#security #javascript #webdev #cybersecurity

Unlocking Cross-Domain Passkeys with WebAuthn Related Origin Requests

As brands expand globally, operating across multiple domains is the norm. Traditionally, FIDO/WebAuthn passkeys—built for phishing-resistant, passwordless authentication—are tightly bound to a single domain, creating friction when users attempt to log in on different country-code top-level domains (ccTLDs) or brand variants. The newly standardized WebAuthn Related Origin Requests (ROR) feature solves this, enabling secure multi-domain passkey usage without compromising on security or user experience.

Core Concepts: How Related Origin Requests Work

WebAuthn Related Origin Requests allow multiple trusted domains to share a single passkey, removing the need for users to manage separate credentials across each domain. ROR works by introducing a public, verifiable allowlist hosted at /.well-known/webauthn on the primary relying party domain. This JSON file explicitly lists authorized related origins, and browsers securely fetch and validate the list to determine if cross-domain passkey usage should be permitted.

Key Elements:

  • Server-side: Configure a well-known JSON file specifying allowed domains.
  • Client-side: Use a shared relying party ID (rpID) for consistent authentication across domains.
  • Browser enforcement: Modern browsers (Chrome, Edge, Safari) validate the allowlist to ensure strict origin verification, maintaining phishing resistance.

Security Foundations: Same-Origin Policy and rpID Scoping

Security is the backbone of WebAuthn. The Same-Origin Policy and rpID scoping prevent unauthorized credential access. ROR provides a secure, standardized mechanism to relax these constraints for brands with multi-domain needs, while ensuring that only explicitly authorized origins can participate. This careful design means phishing protections remain robust, even as authentication becomes more flexible.

Implementation Best Practices for Developers

Implementing WebAuthn Related Origin Requests involves:

  • Creating a /.well-known/webauthn JSON file with a list of trusted domains (up to five origins).
  • Configuring your authentication server to serve this file at the correct path.
  • Ensuring all client applications use the same rpID when initiating passkey authentication.
  • Monitoring browser support and providing graceful fallbacks for browsers lacking ROR capability (notably Firefox, as of 2024).

This approach enables seamless, user-friendly authentication flows across all your brand’s digital properties—without sacrificing security.

Real-World Use Cases: Leading Brands

Major organizations like Microsoft, Shopify, and Amazon leverage ROR to streamline authentication across multiple domains, ensuring consistent branding and secure user journeys. Their adoption highlights the growing maturity of cross-domain passkey strategies, helping set best practices for global multi-domain authentication.

Compatibility and Browser Support

Most modern browsers—including Chrome, Edge, and Safari—support WebAuthn Related Origin Requests, making this solution broadly accessible. However, Firefox does not yet include support, so it’s critical to implement compatibility checks and fallback mechanisms to ensure all users enjoy a smooth experience.

Strategic Considerations and Deployment Limits

When deploying ROR, be mindful of the five-label maximum for related origins and plan your domain strategy accordingly. Consider phased rollouts for existing systems and direct integration for new projects. Automation tools and platforms can further streamline setup and ongoing management.

Streamlining with Corbado

Platforms like Corbado can automate much of the configuration, offer enterprise-grade security, assist with migratory needs, and support integration across complex architectures. Leveraging such solutions can save significant development time and reduce operational risks.

Conclusion: The Future of Passwordless, Multi-Domain Authentication

WebAuthn Related Origin Requests mark a significant milestone, making seamless cross-domain passkey authentication both secure and practical for organizations with diverse web properties. This evolution in WebAuthn standards paves the way for a truly passwordless future, while maintaining industry-leading security standards.

Find out more on our detailed guide and implementation insights

Top comments (0)