/cdn.vox-cdn.com/uploads/chorus_asset/file/24016884/STK093_Google_05.jpg)
Passkeys — the modern, phishing-resistant secure alternative to passwords — could soon become easier to use across various platforms. According to new draft specifications published by the FIDO (Fast Identity Online) Alliance, companies like Google, Apple and Microsoft as well as password management apps like Dashlane, 1Password, and Bitwarden could allow users to export and import passkeys and passwords securely, allowing them to migrate their credentials to another service (for example, when switching from Android to iOS) instead of creating new ones.
FIDO Alliance Publishes Draft Secure Credential Exchange Specifications
The FIDO Alliance released two draft specifications on Monday — Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) — stating that they were designed to promote choice, while enhancing the user experience while utilising passkeys.
The new CXP and CXF draft specifications were designed to streamline the process of transferring credentials such as passwords, passkeys, and other information in a secure manner. Currently, most password managers export credentials in plaintext, usually in the form of a comma separated value (CSV) text file, which is extremely risky.
While the draft secure credentials exchange specifications will improve the security of passwords when they are being exported, they will provide the first secure method of migrating passkeys across services.
For example, a Bitwarden user might be able to export passkeys stored with the service and then import them into their Google or Apple account. The process would ensure that users would not need to generate multiple passkeys for each service, while making it easy for users to switch platforms.
It’s worth noting that it could be a while before secure password and passkey migration could make its way to users. These draft specifications will need to be agreed upon, standardised, and implemented by credential providers, in order for the new functionality to be available. The FIDO Alliance also says that it is accepting community review via GitHub — developers and enthusiasts can provide feedback on the draft specifications.
