New FIDO proposal lets you securely move passkeys across platforms

The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers.

Passkeys are a method of authentication without a password that leverages public-key cryptography to authenticate users without requiring them to remember or manage long strings of characters.

FIDO reports that sign-ins have gotten 75% faster and 20% more successful than password-based authentications, highlighting the benefits of this new technology.

Although convenient and phishing-resistant, one of the major challenges with passkeys is that there’s no secure way to transfer them across different platforms and service providers.

For example, users who created passkeys in Google’s Password Manager couldn’t transfer those securely to Apple’s iCloud Keychain when switching devices, creating a kind of ‘vendor lock-in’ or even ‘device lock-in’ situation.

Hence, instead of providing more freedom, passkeys created unwanted fragmentation in the user experience and introduced security risks when attempting porting them to a different platform.

Standardizing passkey portability

The new specification that FIDO proposes essentially addresses the lack of widely accepted secure standards for credential transfer, eliminating the complications or practical limitations when switching between providers.

The specifications are presented in two separate drafts, namely the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF).

CXP defines a method to securely transfer credentials between different providers using the Diffie-Hellman key exchange and hybrid public key encryption (HPKE), so the data is secured while in transit.

CXF defines a standardized structure for the secure transfer of credentials between providers during migration, ensuring interoperability and data integrity. The proposed formats include JSON within ZIP, with each part being encrypted as specified by CXP.

The drafts were developed with the contribution of specialists from FIDO associate members and stakeholders like Dashlane, Bitwarden, 1Password, NordPass, and Google.

The FIDO Alliance, which is comprised of leaders in the tech space like Google, Microsoft, Apple, Visa, Mastercard, PayPal, Intel, Samsung, Meta, and Amazon, hopes that the new spec will fuel the adoption of passkeys, which today are used for protecting over 12 billion online accounts.

The proposed specifications are currently in draft form and subject to change.

Those interested in participating in the formulation of the specifications can provide their feedback through this GitHub page. The drafts will be gradually updated to reflect additions and changes until they solidify, but no timelines for that have been provided at this time.