Introduction

Passkeys have emerged as a secure and user-friendly alternative to traditional passwords, offering enhanced protection against phishing attacks. Developed by the FIDO Alliance and the World Wide Web Consortium [4], passkeys enable passwordless authentication through biometrics or passcodes. Major technology companies have adopted this standard, significantly increasing its usage. However, challenges remain, particularly in securely transferring passkeys across different platforms.

Description

Passkeys are a secure alternative to traditional passwords [2] [4] [7] [10] [12], offering enhanced resistance to phishing attacks. Developed as an industry standard by the FIDO Alliance and the World Wide Web Consortium [4], passkeys provide a convenient method for users to authenticate using biometrics, such as Face ID or Touch ID, or passcodes [4] [5]. This passwordless authentication system allows users to log in to web services without the need for passwords, significantly improving user experience. Major technology companies [6] [10], including Apple [1] [7] [10], Google [2] [3] [4] [5] [6] [8] [10] [12], Microsoft [3] [4] [5] [6] [8] [10] [12], and Meta [6], have embraced passkey standards [6], enabling access to over 12 billion online accounts [6]. The adoption of passkeys has surged dramatically, with a reported 400% increase in usage by password manager Dashlane since early 2024 [10], and over 175 million Amazon customers now utilizing passkeys for enhanced account security [10]. However, a significant challenge remains: the inability to securely transfer passkeys between different platforms.

To address this issue [10], the FIDO Alliance has introduced a secure credential exchange initiative [1], which includes the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF) [1] [2] [4] [6] [7] [8] [9] [10] [12]. These draft specifications are designed to facilitate the secure transfer of various types of credentials, including passkeys [1] [11], and aim to enhance user experience by providing a secure method for exporting and importing credentials across different service providers. This initiative promotes the adoption of passkeys for phishing-resistant authentication and facilitates transitions between platforms, such as switching from Android to iOS [2]. Currently, password managers typically export credentials in plaintext [2], which poses security risks [2]. The new specifications will improve the security of this process [2], allowing for the first secure migration of passkeys between services [2]. For instance [2], users of Bitwarden could export their passkeys and import them into Google or Apple accounts without needing to create new passkeys for each service [2].

The CXP and CXF specifications utilize mechanisms similar to TLS for establishing encrypted connections [3], employing Diffie-Hellman key exchange to ensure that credentials can only be decrypted by the intended importing provider [3]. Additionally, they include functionality for companies to act as authorizers [3], allowing credential transfers only with the explicit consent of the account owner [3]. Notably, both 1Password and Dashlane have expressed their intention to support these specifications [8], underscoring the critical need for a standardized method for securely transferring credentials. This represents a significant improvement over the commonly used CSV format, which transfers credentials in an unprotected manner [11].

Currently in draft form and open for community review and feedback, the specifications emphasize end-to-end encryption, ensuring that transfers are secure by default rather than transmitted in clear text [9]. The FIDO Alliance is actively seeking input from the security community before finalizing these standards, with a publicly available review draft anticipated in the first quarter of 2025 [3]. An open-source Rust library will also be developed by 1Password and Bitwarden to demonstrate the specifications and promote their implementation [3].

This collaborative effort among industry leaders enhances the likelihood of a future where users can confidently switch credential management platforms, thereby improving convenience across different services. However, while the ability to transfer passkeys between providers is expected to simplify user experience, it may also introduce security complexities [3], as the characteristics of passkeys could evolve over time, complicating the assessment of their security.

Conclusion

The introduction of passkeys marks a significant advancement in digital security, offering a robust alternative to traditional passwords [7]. The ongoing development of secure credential exchange protocols by the FIDO Alliance addresses the critical challenge of cross-platform passkey transfer, promising to enhance user convenience and security. As these standards evolve, they will likely shape the future of digital authentication, although continuous vigilance will be necessary to manage emerging security complexities.

References

[1] https://www.biometricupdate.com/202410/new-tools-authenticate-presentations-coax-hesitant-businesses-to-adopt-passkeys
[2] https://www.gadgets360.com/apps/news/passkeys-fido-alliance-secure-credential-exchange-specifications-6793245
[3] https://www.techtarget.com/searchSecurity/news/366613642/FIDO-unveils-new-specifications-to-transfer-passkeys
[4] https://www.macrumors.com/2024/10/15/fido-alliance-portable-passkeys-across-platforms/
[5] https://gigazine.net/gsc_news/en/20241016-fido-alliance-credential-exchange-protocol
[6] https://www.neowin.net/news/say-goodbye-to-passkey-lock-in-fidos-new-specs-enable-secure-transfers/
[7] https://www.infosecurity-magazine.com/news/fido-passkey-exchange-standard/
[8] https://www.theverge.com/2024/10/15/24270875/password-manager-makers-transfer-passkeys-fido-alliance
[9] https://thehackernews.com/2024/10/fido-alliance-drafts-new-protocol-to.html
[10] https://www.engadget.com/cybersecurity/youll-soon-be-able-to-safely-and-easily-move-your-passkeys-between-password-managers-161025573.html
[11] https://www.idownloadblog.com/2024/10/16/fido-alliance-import-export-passkeys-draft-specification/
[12] https://www.csoonline.com/article/3566575/new-fido-standard-for-passkeys-will-make-it-easier-to-change-services.html