The FIDO Alliance has made significant progress in their ongoing efforts to promote passwordless authentication by introducing new specifications aimed at facilitating the transfer of passkeys and credentials across different providers. These specifications, known as Credential Exchange Format (CXF) and Credential Exchange Protocol (CXP), have been developed by the FIDO Alliance’s Credential Provider Special Interest Group, which includes major industry players such as Apple, Google, Microsoft, and Samsung, among others.
The move towards passkeys as an authentication option comes in response to the ever-evolving landscape of social engineering threats, with both Okta and Google already having introduced passkey support last year. The aim of these new specifications is to enable enterprises to securely export and import passkeys and credentials from one provider to another, addressing the current lack of a universal format for transferring these sensitive pieces of information.
Nick Steele, a product manager at 1Password and co-chair of the FIDO Alliance, emphasized the importance of providing users with a secure and efficient way to transfer credentials between different password managers. By using mechanisms such as Transport Layer Security (TLS) and Diffie-Hellman key exchange, the specifications ensure that credentials can only be decrypted by the importing provider, ensuring end-to-end security throughout the transfer process.
However, challenges around user experience and security complexity may arise as passkeys become more widespread and complex, particularly with the introduction of features like mobile driver’s licenses (mDLs). To address these potential issues, feedback from the security community will be sought before an official release of the specifications. FIDO Alliance aims to publish a review draft of CXP and CXF in the first quarter of 2025, with open-source libraries from 1Password and Bitwarden to demonstrate the implementation of these specifications.
Todd Thiemann, a senior analyst at TechTarget’s Enterprise Strategy Group, highlighted the potential benefits and challenges associated with the new specifications. While the flexibility provided by the specifications allows users to transfer passkeys between providers, it also introduces security complexities for providers, as the assessment of passkey security now becomes dependent on the provider used in creating the passkey.
The importance of eliminating passwords in the face of evolving threat landscapes was underscored by recent incidents, such as the breach of Microsoft by a Russian nation-state threat group due to a legacy account lacking multi-factor authentication. As attackers target identity providers and password managers, security breaches like those experienced by Okta and LastPass serve as a stark reminder of the vulnerabilities associated with traditional password-based authentication methods.
In conclusion, the FIDO Alliance’s proposed specifications represent a significant step towards promoting the adoption of passwordless authentication and improving the security of credential management. By providing a secure and standardized way to transfer passkeys and credentials between providers, these specifications have the potential to enhance user choice and security in the digital authentication landscape.