
ExpressVPN has announced a major update to its standalone ExpressKeys password manager, adding passkey support, secure credential sharing, and direct vault imports.
Alongside the release, the company published a new independent security assessment by Cure53, which found no severe vulnerabilities in the application after reviewing its architecture and mobile apps.
ExpressVPN, which is best known for its commercial VPN service (see our ExpressVPN review), launched ExpressKeys as a standalone password manager earlier this year. The application stores passwords, payment cards, secure notes, passkeys, and two-factor authentication codes across mobile devices and browsers for eligible subscribers.
Passkeys land on ExpressKeys
Among the most significant additions is support for passkeys, allowing users to generate, store, and authenticate with FIDO-compatible credentials instead of traditional passwords. As more online services adopt passkeys, password managers are increasingly adding support to help users transition away from reusable passwords that remain vulnerable to phishing and credential stuffing attacks.
The update also introduces secure sharing for individual vault items. Instead of sending passwords or payment information via messaging apps or email, users can generate links that expire after a configurable period, optionally require email verification, or become invalid after a single view. Access to shared items can also be revoked from within the application.

Another notable addition is support for the FIDO Alliance's Credential Exchange (CX) standard. Rather than requiring users to export their entire password vault into an unencrypted CSV or similar file before switching password managers, Credential Exchange enables direct encrypted transfers between compatible services. ExpressVPN says ExpressKeys can now import credentials directly from Apple Passwords, Google Chrome, and other password managers that implement the new standard.
The release also adds camera-based payment card scanning for iOS, allowing users to capture credit and debit card details directly into their vault, while Android support remains under development. Additional features include encrypted vault backups, a dedicated interface for two-factor authentication codes, color-coded password displays, swipe gestures for managing entries, broader language support, and a “Recently Deleted” folder that retains deleted vault items for 30 days before permanent removal.

ExpressVPN
Cure53 audit findings
Alongside the product update, ExpressVPN published Cure53's latest security assessment, bringing the company's publicly available third-party audit count to 28, according to the vendor.
The audit identified 12 findings, including 5 security vulnerabilities and 7 lower-risk hardening recommendations. None were rated High or Critical severity, and Cure53 concluded that the applications presented “a solid overall impression” from a security perspective while describing the overall security posture as mature.
Among the Medium-severity issues discovered during testing were a custom URL scheme that could potentially be abused for phishing or information leakage, an iOS autofill flaw that could display all stored credentials when a webpage supplied a null domain, and the use of PBKDF2 for vault key derivation, which Cure53 recommended replacing with a memory-hard algorithm such as Argon2id to better resist GPU-assisted brute-force attacks. The report also documented several Low-severity findings, including an encryption key appearing in stdout logs under specific conditions and a screenshot protection bypass involving an integrated bug-reporting feature.
According to the report, ExpressVPN addressed or mitigated the identified vulnerabilities before publication, with Cure53 verifying fixes for the Medium-severity issues. Several informational recommendations, such as enabling additional compiler hardening features and introducing an optional second authentication factor before opening the vault, remain design considerations rather than unresolved vulnerabilities.
You can also check out our roundup of the best password managers here.







Leave a Reply