Security vendors join forces to make passkeys more portable for everyone

FIDO Alliance publishes industry standards for consumers to easily and securely transfer passkeys across platforms and password managers.

The new Credential Exchange Protocol (CXP) has just launched on Apple iPhones, and Bitwarden is among the first to support this industry standard that allows for secure transfer of passkeys and passwords between compatible platforms and apps.

Apple iOS 26 is the first major platform to implement CXP, bringing new levels of credential portability and user choice. With this integration, iOS users gain a secure, standardized method for migrating passkeys between different platforms and password managers while maintaining end-to-end encryption. Bitwarden is the first third-party credential manager to support this integration.

The adoption of CXP in iOS 26 addresses any user hesitation for passkey adoption due to concerns about vendor lock-in. The implementation means passkeys stored in iOS can now be securely transferred to other CXP-compatible services, such as from Apple Passwords into Bitwarden, or from Bitwarden into other solutions

Once users upgrade to iOS 26, the Bitwarden iOS app will automatically support CXP transfers. Users can immediately take advantage of the secure transfer capabilities between their Bitwarden vault and any other CXP-supported apps.

In iOS, apps initiate the export process within them. Go to the app you wish to export from and select Export Data to Another App or similar.

Note: Passkeys that use a hidden “counter” for security are not able to be transferred through the CXP process.

With  iOS 26, transferring passwords and passkeys is easier than ever. Create a free Bitwarden account or start a free business trial. Download the Bitwarden iOS app and see how simple it is to import your credentials and secure yourself and your business today.

The following was originally published October 14, 2024

Let’s meet the companies behind the Credential Exchange Protocol (CXP), a set of technical industry standards for password manager vendors to implement. Recently published, CXP will help ensure secure, end-to-end encrypted passkey migration from one platform or service to another. The group, with support from the FIDO Alliance, includes developers from: 

• Apple

• Bitwarden

• Dashlane

• Google

• Microsoft

• NordPass

• 1Password

• Samsung

• SK Telecom

WebAuthn, the W3C and FIDO specification that allows servers to register and authenticate users using public key cryptography instead of a password, was initially created with the mindset that credentials would always be in the hardware. 

This paradigm shift is why new industry standards are needed. 

“By changing the paradigm to where the keys can be synced, a lot of rethinking of security properties and interoperability needed to happen,” said René Léveillé, senior developer at 1Password. 

The Credential Exchange Protocol for passkeys is the product of developers who recognized this shift, and wanted to make passkeys more universally adopted. 

Unlike passwords, passkeys do not have a standard encoding representation, making them inherently complex for import and export. To address this opportunity, developers from 1Password, Dashlane, Bitwarden, and Nordpass came together in early 2023 to build a limited proof of concept for passkeys moving between applications. 

“Feedback was overwhelmingly positive,” said Léveillé. “From there we gathered the other interested parties with whom we worked on what is now known as the Credential Exchange Protocol and Format with the goal of not only supporting passkeys, but any credential that may be in a password manager.”

From there, other password managers joined and formed a working alliance to build a universally accepted passkey secure transfer protocol, as well as strengthen overall passkey adoption among businesses and consumers. 

Since Bitwarden announced passkey management and support earlier this year, overall adoption has consistently accelerated. Daily passkey creation peaked this summer at more than 500% from the peak rate at the beginning of 2024. 

Nearly 50% of total passkeys created with Bitwarden were added in the last 3 months as industry leaders such as Apple, Google, Amazon, and many others continue to enable passkey technology for users. 

Over the past 6 months, the Bitwarden community-driven PasskeyIndex saw a 76% increase in submissions of services that support passkey authentication. These services span millions of users, underscoring the growing commitment of organizations to adopt passkeys as a modern, secure authentication method, driving a passwordless future for users worldwide. 

All users benefit from the convenience and enhanced security of storing passkeys in Bitwarden, ensuring cross-platform availability.

Passkeys are inherently more secure than passwords, providing a faster, safer, and interoperable way to sign into any account or service. That said, existing import and export features are often based on unencrypted CSV files, which undermines security and potentially opens the passkey owner to vulnerabilities. The Credential Exchange aims to to define normative data structures to allow for interoperability and control by resource owners over passkey credentials that need to be migrated. The exchange protocol supports bulk export, backup, with additional future use cases as specs evolve. 

The new protocol can also be applied to all credentials, not just passkeys. “Businesses and consumers alike will benefit in multiple ways, not just avoiding lock in," said Anders Aberg, director of passwordless at Bitwarden. “Existing import and export features are often based on unencrypted csv files. The credential exchange protocol will make passkey migrations a lot safer, even for non-passkey credentials.”

FIDO Alliance’s draft specifications – Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) – define a standard format for transferring credentials in a credential manager including passwords, passkeys and more to another provide in a manner that ensures transfer are not made in the clear and are secure by default.

The working draft specifications are open to community review and feedback; they are not yet intended for implementation as the specifications may change. Those interested can read the working drafts and provide feedback on the Alliance’s GitHub repo.