diff --git a/pkg/webauthnutil/webauthnutil.go b/pkg/webauthnutil/webauthnutil.go
index 9b86d650e..e7546bf69 100644
--- a/pkg/webauthnutil/webauthnutil.go
+++ b/pkg/webauthnutil/webauthnutil.go
@@ -4,7 +4,8 @@ package webauthnutil
 import (
 	"net"
 	"net/http"
-	"strings"
+
+	"golang.org/x/net/publicsuffix"
 
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/webauthn"
@@ -24,8 +25,8 @@ func GetEffectiveDomain(r *http.Request) string {
 	if err != nil {
 		h = r.Host
 	}
-	if idx := strings.Index(h, "."); idx >= 0 {
-		h = h[idx+1:]
+	if tld, err := publicsuffix.EffectiveTLDPlusOne(h); err == nil {
+		return tld
 	}
 	return h
 }
diff --git a/pkg/webauthnutil/webauthnutil_test.go b/pkg/webauthnutil/webauthnutil_test.go
index 40e4b1fc3..97b537e29 100644
--- a/pkg/webauthnutil/webauthnutil_test.go
+++ b/pkg/webauthnutil/webauthnutil_test.go
@@ -16,7 +16,8 @@ func TestGetEffectiveDomain(t *testing.T) {
 	}{
 		{"https://www.example.com/some/path", "example.com"},
 		{"https://www.example.com:8080/some/path", "example.com"},
-		{"https://www.subdomain.example.com/some/path", "subdomain.example.com"},
+		{"https://www.subdomain.example.com/some/path", "example.com"},
+		{"https://example.com/some/path", "example.com"},
 	} {
 		tc := tc
 		t.Run(tc.expect, func(t *testing.T) {