FIDO unveils new specifications to transfer passkeys

The FIDO Alliance continued its passwordless push with a proposed set of new specifications to enable users and organizations to transfer passkeys and all other credentials across providers.

In a blog post Monday, the FIDO Alliance announced two new specifications intended to help users securely move passkeys in a credential manager. The specifications were developed by FIDO's Credential Provider Special Interest Group, which includes 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung and SK Telecom.

FIDO's goal is to continue expanding the adoption of passkeys, which are a relatively new authentication option designed to replace passwords as social engineering threats continue to evolve. Both Okta and Google debuted passkey support last year.

Now, FIDO's proposed specifications, named Credential Exchange Format (CXF) and Credential Exchange Protocol (CXP), would enable enterprises to export and import passkeys and other credentials from one provider to another provider in a secure manner.

Nick Steele, a product manager at 1Password and co-chair of the FIDO Alliance, expanded on the new specifications in a blog post on Monday. While passkeys help protect against phishing and other identity and access management (IAM) threats, Steele said there's currently no way to securely transfer them between different password managers. He referred to it as a "technical shortcoming" and said it's one reason users might choose to continue using passwords over passkeys.

"These specifications provide a universal format and secure mechanism for transferring all kinds of credentials. That includes passkeys, traditional passwords, and everything else typically handled using a CSV file," Steele wrote in the blog post.

Steele told TechTarget Editorial that the specifications use the same mechanisms as TLS, which helps to establish an encrypted connection. "We use Diffie-Hellman key exchange to encrypt the credentials we're moving as they can only be decrypted by the importing provider. In addition to the standard, we're also adding functionality that allows companies to act as an authorizer, so providers can only move credentials with the express authorization of the business that owns the provider account," Steele said in an email.

He cited challenges that could arise as well, most of which are around user experience. "As credentials become more complex, such as with mDLs [mobile driver's licenses], it is important for users to understand how and when these credentials are exchanged between wallets," Steele said.

The FIDO Alliance and its partners published the proposed specifications to gather feedback from the security community prior to an official release. While there is no official release date, Steele said FIDO will be moving to publish a publicly available review draft of CXP and CXF in the first quarter of 2025. He added that 1Password and Bitwarden will release an open source Rust library to demonstrate the specifications and hopefully accelerate implementation.

Todd Thiemann, a senior analyst at TechTarget's Enterprise Strategy Group, said the new draft FIDO specifications should help drive passkey adoption. However, it could also present security challenges.

"There are a group of users who are concerned about vendor lock-in, and this new protocol addresses their concerns. After the new protocol is implemented by passkey providers, users will be able to move their passkeys from one provider to another," Thiemann said. "The new flexibility provided by the specification does increase security complexity for providers. Before this draft protocol, assessing the security associated with a passkey was dependent on the passkey provider that was used in creating the passkey. Now, passkeys can evolve and change over the passkey lifetime, and that adds some security complexity."

Eliminating passwords is becoming more important as the threat landscape evolves. Earlier this year, a Russian nation-state threat group known as Midnight Blizzard breached Microsoft through a legacy account that did not have MFA enabled.

Attackers are increasingly targeting identity providers and password managers as well. Okta, another company involved in the new specifications, suffered a breach last year when attackers used stolen credentials to hack into the IAM vendor's support case management system and access customer data. While the initial investigation determined that the attack only affected 1% of customers, Okta later disclosed that attackers accessed information for all customers and some employees. 1Password confirmed that it was one of the affected customers, but though it detected suspicious activity related to Okta, it did not suffer an attack.

LastPass, another password manager, disclosed a breach in 2022 after attackers gained unauthorized access to a development environment by compromising a developer account. Affected information included customer names, telephone numbers, billing addresses and unencrypted website URLs.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.