FIDO Alliance Unveils New Standards to Secure Passkey Transfers

The FIDO Alliance has released a working draft of new specifications aimed at making the transfer of passkeys and other credentials between providers more secure and user-friendly. These drafts, developed through collaboration among industry leaders like Apple, Google, 1Password, Microsoft, and Bitwarden, are set to enhance the portability and security of passkeys, a modern alternative to traditional passwords that has gained widespread adoption.

These new specifications address the need for a standard, secure method to move credentials across platforms. The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) propose a unified approach to transferring passkeys, passwords, and other credentials between password managers or platforms.

Previously, no secure standard existed for such transfers, often leading to passwords being exchanged in unencrypted formats, posing significant security risks. By ensuring all transfers are encrypted and secure by default, these specifications aim to eliminate these vulnerabilities.

Background on specifications

CXP defines a secure method for transferring credentials between two credential providers, even across different devices or network conditions. Using Diffie-Hellman Key Exchange (DHKE) or Hybrid Public Key Encryption (HPKE), CXP ensures that credentials — such as passkeys, passwords, and others — are securely encrypted during migration.

The protocol allows an importing provider to initiate a request for credentials, which are then encrypted and sent by the exporting provider. The credentials are transferred in a format defined by the Credential Exchange Format (CXF) and must be decrypted and verified upon receipt. By offering a standardized, secure method of credential migration, CXP addresses long-standing issues with insecure data transfers and non-standard formats, promoting interoperability across platforms.

CXF defines the structure and format of credentials during migration, ensuring interoperability between different providers. CXF organizes credentials into a standardized data structure that includes key information like account details, credential types (e.g., passkeys, passwords, or credit card information), and metadata.

Each credential is securely encrypted within a zip archive, following the encryption schemes specified by CXP. This approach mitigates the risks of data loss or format incompatibility during transfers, offering a secure, consistent method to export, import, and manage credentials. CXF ensures that credentials are easy to handle, whether users are moving between password managers or across devices, all while maintaining robust security standards.

FIDO’s bid for better practices

Passkeys, a relatively new authentication method, have been gaining momentum due to their enhanced security and user experience benefits. Unlike traditional passwords, which are vulnerable to phishing and reuse, passkeys use cryptographic keys, significantly reducing the risk of credential theft. According to the FIDO Alliance, passkey sign-ins are 75% faster and 20% more successful than those using passwords or two-factor authentication methods like SMS OTP. With more than 12 billion online accounts already capable of using passkeys, the need for secure credential portability has become critical.

The FIDO Alliance has been a key driver of the passkey movement. Founded in 2013, the Alliance includes tech giants like Google, Microsoft, and Apple, as well as several leading password management services such as Dashlane, 1Password, and Bitwarden. The organization aims to promote open, secure authentication standards to help phase out passwords in favor of more secure options like passkeys.

The new CXP and CXF standards reflect the Alliance’s commitment to reducing technical barriers around passkey adoption. These drafts focus on making credential migration not only secure but also easy for users who wish to switch providers or platforms without sacrificing security. This is particularly relevant as the convenience of synced passkeys — those stored in the cloud and accessible across multiple devices — becomes more widely used, making secure and standardized data transfer even more important.

At present, the specifications remain in draft form and are open to feedback from the broader security community. The FIDO Alliance encourages developers and stakeholders to review the working drafts, available on their GitHub repository, and submit comments to help refine the standards before they are finalized. Once the standards are approved, they will be made publicly available for implementation by credential providers, allowing for a seamless, secure experience when users transfer credentials between platforms.