The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange that, when standardized and implemented by credential providers, will enable users to securely move passkeys and all other credentials across providers. The specifications are the result of commitment and collaboration amongst members of the FIDO Alliance’s Credential Provider Special Interest Group including representatives from: 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung and SK Telecom.
Secure credential exchange is a focus for the FIDO Alliance because it can help further accelerate passkey adoption and enhance user experience. Today, more than 12 billion online accounts can be accessed with passkeys and the benefits are clear: sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second factor like SMS OTP.
With this rising momentum, the FIDO Alliance is committed to enabling an open ecosystem, promoting user choice and reducing any technical barriers around passkeys. It is critical that users can choose the credential management platform they prefer, and switch credential providers securely and without burden. Until now, there has been no standard for the secure movement of credentials, and often the movement of passwords or other credentials has been done in the clear.
FIDO Alliance’s draft specifications – Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) – define a standard format for transferring credentials in a credential manager including passwords, passkeys and more to another provide in a manner that ensures transfer are not made in the clear and are secure by default.
Once standardized, these specifications will be open and available for credential providers to implement so their users can have a secure and easy experience when and if they choose to change providers.
The working draft specifications are open to community review and feedback; they are not yet intended for implementation as the specifications may change. Those interested can read the working drafts here, and provide feedback on the Alliance’s GitHub repo. Drafts are expected to be updated and published for public review often until the specifications are approved for implementation.
The FIDO Alliance extends a special thank you to its members in the Credential Provider Special Interest Group and its leads for driving and contributing to this important specification.