Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,540
37,874


The FIDO Alliance is developing new specifications to enable secure transfer of passkeys between different password managers and platforms. Announced on Monday, the initiative is the result of collaboration among members of the FIDO Alliance's Credential Provider Special Interest Group, including Apple, Google, Microsoft, 1Password, Bitwarden, Dashlane, and others.

ios-16-passkeys-websites.jpg

Passkeys are an industry standard developed by the FIDO Alliance and the World Wide Web Consortium, and were integrated into Apple's ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura. They offer a more secure and convenient alternative to traditional passwords, allowing users to sign in to apps and websites in the same way they unlock their devices: With a fingerprint, a face scan, or a passcode. Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

The draft specifications, called Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), will standardize the secure transfer of credentials across different providers. This addresses a current limitation where passkeys are often tied to specific ecosystems or password managers.

For Apple users, the development could significantly enhance the utility of passkeys across their devices and services. Once implemented, users may be able to securely move their passkeys between Apple's built-in password management system and third-party password managers, and event to non-Apple platforms. It's worth noting that the new specifications are currently open for community review and feedback, so it could be a while before we see them implemented and the specifications could change in the meantime.

Article Link: FIDO Alliance Working on Making Passkeys Portable Across Platforms
 
This is good news. I have no desire to use Apple's implementation of this right now due to it being locked to Apple's platforms. If you use Bitwarden, you can have the same credentials on Mac OS, iOS, Windows, Linux, Android. It'll be nice to have an official portable option.
 
Although limited sites currently use passkeys, they are a useful option. 1password is also able to store the same passkey on multiple devices and share it across iOS and windows clients. The only passkey that can't be stored on 1password seems to be the one for Apple, which seems to limit passkey storage to Apple hardware.
 
I'm using both MSFT's password management and Apple's Passwords due to my work using Windows, and being an Apple person otherwise.

Both are useful and convenient. I would really appreciate the cross platform compatibility.

Either way, anything is more secure than the sticky note of passwords I used to keep in my checkbook back in the day.
 
Using a password manager such as Bitwarden already accomplishes this.
Not quite. If Bitwarden were to shut down, you would need to transfer all of your passkeys to a different manager. This specification will allow you to do just that to any password manager that is compliant.

It's a huge step in the right direction. I cannot wait until the day we don't have to deal with passwords again. I was forced to do a password reset just today, and it took about 10min with all the hoops you have to jump through and all the services I needed to log back into.
 
Last edited:
This sounds good to me and has been something I've been thinking about when it comes to passkeys for some time.

It is nice to have the passkeys one has with Apple clearly seen in a separate section in the new Passwords app, but to be able to move them out of there in a good way if one for some reason want to store them somewhere else seem like something that should be possible.
 
Good.

I do use Bitwarden so my passkeys sync between my Apple devices and PC.

Hopefully more accounts start to support passkeys. I’m so over passwords but sadly too many still use them with crappy SMS 2fa.
 
Hopefully the FIDO Alliance are strongly encouraging two other passkey developments…

  1. Websites DO NOT have a MFA/2FA step when logging in by passkey
  2. Websites allow password DELETION so that the passkey and any backup (email reset) become the weakest points of entry
 
  • Like
Reactions: iiKurt
I'm using both MSFT's password management and Apple's Passwords due to my work using Windows, and being an Apple person otherwise.

Both are useful and convenient. I would really appreciate the cross platform compatibility.

Either way, anything is more secure than the sticky note of passwords I used to keep in my checkbook back in the day.

Are you able to install iCloud on your work machine ?
 
So we're just replacing passwords with different, less-flexible passwords. Gee, can't wait for this bs to become mandatory...
They can't be phished, which is an enormous security benefit over traditional passwords. I'd argue that a physical key, such as a Yubikey, is still the most secure option but passkeys are much more accessible.
 
They can't be phished, which is an enormous security benefit over traditional passwords. I'd argue that a physical key, such as a Yubikey, is still the most secure option but passkeys are much more accessible.
I understand, but I'd still argue for trying to help educate and train people to be less stupid than (inevitably) robbing the rest of us of even more control and choice. I don't subscribe to the cult of unnecessary "security," so I'd much rather just use regular passwords and a manager. Sure, I can do that just fine...for now. But for how long? I'm convinced this will eventually become just like the infuriating 2-step login garbage that is now forced upon me by certain companies.
 
  • Love
Reactions: Victor Mortimer
I understand, but I'd still argue for trying to help educate and train people to be less stupid than (inevitably) robbing the rest of us of even more control and choice. I don't subscribe to the cult of unnecessary "security," so I'd much rather just use regular passwords and a manager. Sure, I can do that just fine...for now. But for how long? I'm convinced this will eventually become just like the infuriating 2-step login garbage that is now forced upon me by certain companies.

If you want to complain about 2-factor authentication - Passkeys solve that problem nicely. 2FA is baked into the Passkeys, no need to deal with SMS codes and the like.

Passwords may be "flexible", but it's a terrible 30+ year old technology, that needs to go.
 
If you want to complain about 2-factor authentication - Passkeys solve that problem nicely. 2FA is baked into the Passkeys, no need to deal with SMS codes and the like.
It's not so much about the process or function itself as it is the unwanted inconvenience being forced upon me. And passkeys are going to be just another form of this annoying inconvenience.

Passwords may be "flexible", but it's a terrible 30+ year old technology, that needs to go.
I wholeheartedly disagree. The mere passage of time doesn't make something bad. That said, I realize this is based on an (extremely likely) assumption, but if it were just an optional feature for people who want the (ostensible) peace-of-mind, fine. I have no problem with companies and services offering another login option. But seeing how things have gone in the past and who's involved with the standards body, I know for at least some services it's very likely not to be optional in due time. So I'm complaining about that.
 
  • Like
Reactions: Victor Mortimer
It's not so much about the process or function itself as it is the unwanted inconvenience being forced upon me. And passkeys are going to be just another form of this annoying inconvenience.

What is so inconvenient about passkeys? I am genuinely curious. I use passkeys every day, they work without friction. Have you actually tried it?
 
I am using Safe+ to sync my passkeys between my iPhone / iPad and Mac. But to have the option to export passkeys to other password managers or platforms would be great.
 
how did they release passkeys without figuring out how to transfer them first😂

is there an option to reset passkeys? because if there is not, this will cause a lot of issues in the future. Currently many services allow a reset option by sending you an email or contact via sms maybe. I already can see the hoards of john does wondering what to do since they lost access to their passkeys
 
  • Like
Reactions: CatalinApple
how did they release passkeys without figuring out how to transfer them first😂

is there an option to reset passkeys? because if there is not, this will cause a lot of issues in the future. Currently many services allow a reset option by sending you an email or contact via sms maybe. I already can see the hoards of john does wondering what to do since they lost access to their passkeys
Well, the ‘something you have’ factor when it comes to MFA and Passkeys are concerned is particularly important given that the additional factor such as a PIN used to unlock the device is not necessarily as secure as a full blown password. As such, the original conception behind Passkeys was to make them tightly bound to some given physical device (i.e., the ‘something you have’ factor) by typically relying on a secure hardware element in the device itself to store Passkeys. Given this, providing a method to easily port the Passkey between devices was not given a high priority.

In other words, if you make it too easy to move or replicate a Passkey between physical devices, you also make it easier for a hacker to impersonate a victim‘s ‘something you have’ factor and as such facilitate hacking into a victim’s Passkey-secured accounts.

Imagine a scenario where someone breaks into your password manager or iCloud account and they are easily able to move or replicate a Passkey from a device you possess to one of their own devices. They are now able to log into an account secured by that passkey. However, if the Passkey was set up as a device-bound Passkey it would be impossible for them to remotely move or copy it to any of their own devices. For this reason I personally prefer to only set up device-bound Passkeys and avoid schemes that make a Passkey portable.
 
Last edited:
  • Angry
Reactions: Victor Mortimer
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.