Security vendors join forces to make passkeys more portable for everyone

FIDO Alliance publishes industry standards for consumers to easily and securely transfer passkeys across platforms and password managers.

Let’s meet the companies behind the Credential Exchange Protocol (CXP), a set of technical industry standards for password manager vendors to implement. Recently published, CXP will help ensure secure, end-to-end encrypted passkey migration from one platform or service to another. The group, with support from the FIDO Alliance, includes developers from: 

• Apple

• Bitwarden

• Dashlane

• Google

• Microsoft

• NordPass

• 1Password

• Samsung

• SK Telecom

WebAuthn, the W3C and FIDO specification that allows servers to register and authenticate users using public key cryptography instead of a password, was initially created with the mindset that credentials would always be in the hardware. 

This paradigm shift is why new industry standards are needed. 

“By changing the paradigm to where the keys can be synced, a lot of rethinking of security properties and interoperability needed to happen,” said René Léveillé, senior developer at 1Password. 

The Credential Exchange Protocol for passkeys is the product of developers who recognized this shift, and wanted to make passkeys more universally adopted. 

Unlike passwords, passkeys do not have a standard encoding representation, making them inherently complex for import and export. To address this opportunity, developers from 1Password, Dashlane, Bitwarden, and Nordpass came together in early 2023 to build a limited proof of concept for passkeys moving between applications. 

“Feedback was overwhelmingly positive,” said Léveillé. “From there we gathered the other interested parties with whom we worked on what is now known as the Credential Exchange Protocol and Format with the goal of not only supporting passkeys, but any credential that may be in a password manager.”

From there, other password managers joined and formed a working alliance to build a universally accepted passkey secure transfer protocol, as well as strengthen overall passkey adoption among businesses and consumers. 

Since Bitwarden announced passkey management and support earlier this year, overall adoption has consistently accelerated. Daily passkey creation peaked this summer at more than 500% from the peak rate at the beginning of 2024. 

Nearly 50% of total passkeys created with Bitwarden were added in the last 3 months as industry leaders such as Apple, Google, Amazon, and many others continue to enable passkey technology for users. 

Over the past 6 months, the Bitwarden community-driven PasskeyIndex saw a 76% increase in submissions of services that support passkey authentication. These services span millions of users, underscoring the growing commitment of organizations to adopt passkeys as a modern, secure authentication method, driving a passwordless future for users worldwide. 

All users benefit from the convenience and enhanced security of storing passkeys in Bitwarden, ensuring cross-platform availability.

Passkeys are inherently more secure than passwords, providing a faster, safer, and interoperable way to sign into any account or service. That said, existing import and export features are often based on unencrypted CSV files, which undermines security and potentially opens the passkey owner to vulnerabilities. The Credential Exchange aims to to define normative data structures to allow for interoperability and control by resource owners over passkey credentials that need to be migrated. The exchange protocol supports bulk export, backup, with additional future use cases as specs evolve. 

The new protocol can also be applied to all credentials, not just passkeys. “Businesses and consumers alike will benefit in multiple ways, not just avoiding lock in," said Anders Aberg, director of passwordless at Bitwarden. “Existing import and export features are often based on unencrypted csv files. The credential exchange protocol will make passkey migrations a lot safer, even for non-passkey credentials.”

FIDO Alliance’s draft specifications – Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) – define a standard format for transferring credentials in a credential manager including passwords, passkeys and more to another provide in a manner that ensures transfer are not made in the clear and are secure by default.

The working draft specifications are open to community review and feedback; they are not yet intended for implementation as the specifications may change. Those interested can read the working drafts and provide feedback on the Alliance’s GitHub repo.