The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange
that, when standardized and implemented by credential providers, will
enable users to securely move passkeys and all other credentials across
providers. The specifications are the result of commitment and
collaboration amongst members of the FIDO Alliance's Credential Provider
Special Interest Group including representatives from: 1Password,
Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta,
Samsung and SK Telecom.
Secure credential exchange is a focus for the FIDO Alliance because
it can help further accelerate passkey adoption and enhance user
experience. Today, more than 12 billion online accounts can be accessed
with passkeys and the benefits are clear:
sign-ins with passkeys reduce phishing and eliminate credential reuse
while making sign-ins up to 75% faster, and 20% more successful than
passwords or passwords plus a second factor like SMS OTP.
With this rising momentum, the FIDO Alliance is committed to enabling
an open ecosystem, promoting user choice and reducing any technical
barriers around passkeys. It is critical that users can choose the
credential management platform they prefer, and switch credential
providers securely and without burden. Until now, there has been no
standard for the secure movement of credentials, and often the movement
of passwords or other credentials has been done in the clear.
FIDO Alliance's draft specifications - Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF)
- define a standard format for transferring credentials in a credential
manager including passwords, passkeys and more to another provide in a
manner that ensures transfer are not made in the clear and are secure by
default.
Once standardized, these specifications will be open and available
for credential providers to implement so their users can have a secure
and easy experience when and if they choose to change providers.
The working draft specifications are open to community review and
feedback; they are not yet intended for implementation as the
specifications may change. Those interested can read the working drafts here, and provide feedback on the Alliance's GitHub repo.
Drafts are expected to be updated and published for public review often
until the specifications are approved for implementation.
The FIDO Alliance extends a special thank you to its members in the
Credential Provider Special Interest Group and its leads for driving and
contributing to this important specification.