Passkey portability is what the password-less future needs: FIDO Alliance standard coming

Smartphone show bold blue, red, yellow and green diagonal bars across the screen. In the centre is a pop-up window stating "You can now use your passkeys to sign in". Below it is a graphic showing a yellow key on a keyring, and a blue tick symbol.

Just like your house key, passkeys are unique to the lock they go in, at whatever service they were set up to unlock. That could be your bank, your social media account, your email provider, or a website like XDA. Unlike passwords, there’s nothing to remember, nothing to type into a fake website in a phishing attack, and nothing that could be reused across several accounts. Given what we know about users and their security hygiene, this can only be a good thing.

Passkeys aren’t the only way toward a passwordless, more secure future, but they’re one of the best ways to reduce user error completely. They won’t work on any website other than the one they were generated for, they can’t be copied or reused, they won’t work on a stranger’s device, and they can’t currently be moved between users. That last point is also one of the issues because they’re currently locked to the operating system or password manager that created them.

That’s a problem, because you might have generated it on the wrong device, or want to move it to your new password manager, and that’s just not possible right now. There are standards for the passkeys, but the easiest way currently to move a passkey to another storage provider is to delete it and make a new one with the new service.

Yes, this is pretty essential to passkeys being adopted as mainstream. It’s an advantage that passwords have, as they can be exported from one service to another quite easily. So, although for example Bitwarden is fully cross-platform, what if you want to leave Bitwarden and have your passkeys in a different password manager? Or if you want to leave the Apple ecosystem and take your passkeys to an Android device?

This is why Apple, Google, Samsung and some others rushed to get passkeys out as quickly as possible, because they knew it would lock users into their ecosystem. Many of us waited for cross-platform services to adopt passkeys, but even so, you can’t easily leave that service with all your passkeys.

So an open and secure standard for transfer of passkeys is really important. Such a standard will mean not only being able to export (and backup) but to also import elsewhere.

See https://www.xda-developers.com/passkey-portability-is-what-the-password-less-future-needs