October 15, 2024 at 11:19AM
The FIDO Alliance has released a draft specification to standardize the secure transfer of passkeys between providers, addressing portability issues. The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) aim to enhance interoperability and security during credential migration. Feedback is welcomed for further refinement of these drafts.
### Meeting Takeaways:
1. **New Specification Introduction**:
– The FIDO Alliance has released a working draft aimed at enabling secure transfer of passkeys between different providers.
2. **Passkeys Overview**:
– Passkeys use public-key cryptography for password-less authentication, improving sign-in processes:
– **75% Faster** and **20% More Successful** than traditional password methods.
3. **Challenges Identified**:
– Current passkey systems face significant challenges:
– No secure method for transferring passkeys across platforms (e.g., from Google’s Password Manager to Apple’s iCloud Keychain).
– This leads to ‘vendor lock-in’ and ‘device lock-in’, creating fragmentation and security concerns.
4. **Standardization Efforts**:
– FIDO’s new specification includes two drafts:
– **Credential Exchange Protocol (CXP)**: Outlines a secure method for credential transfer utilizing Diffie-Hellman key exchange and hybrid public key encryption (HPKE).
– **Credential Exchange Format (CXF)**: Provides a standardized structure for secure transfer during migration, ensuring interoperability and data integrity, typically formatted in JSON within ZIP.
5. **Collaborative Development**:
– The drafts have been developed with input from various organizations, including Dashlane, Bitwarden, 1Password, NordPass, and Google.
6. **Industry Support**:
– Supported by major tech companies (Google, Microsoft, Apple, Visa, etc.), the FIDO Alliance aims to promote passkey adoption for over **12 billion** online accounts currently protected by this technology.
7. **Feedback and Updates**:
– The specifications are still in draft form and open for feedback, with updates to be made on a dedicated GitHub page. Timeline for finalization remains unspecified.
8. **Next Steps**:
– Stakeholders and interested parties are encouraged to participate by providing feedback on the drafts as they evolve.