Apple OSes Launch Secure Passkey Transfer with FIDO2
By Dan Goodin – Jun 12, 2025
Breaking the Lock-In: Why Cross-Platform Passkey Portability Matters
At WWDC this week, Apple unveiled a highly anticipated feature that addresses one of the most pressing usability and security challenges in modern authentication: the ability to import and export passkeys across devices, operating systems, and credential managers. Historically, passkeys—built on the FIDO2/WebAuthn standard—have offered superior protection against phishing and credential stuffing, but they’ve also tied users to specific ecosystems.
The Ecosystem Conundrum
Until now, passkey portability has been limited. A passkey created on macOS or iOS can sync via iCloud Keychain to other Apple devices, but it couldn’t be moved to a Windows PC, Android phone, or third-party vault like 1Password or Bitwarden. This situation frustrated users and fueled criticism that tech giants were using passkeys to lock people into their product lines. More critically, irreversible loss of a primary device risked permanent account lockout.
“People own their credentials and should have the flexibility to manage them where they choose,” says Apple’s WWDC narrator. “This feature gives people more control over their data and the choice of which credential manager they use.”
Technical Architecture of Passkey Transfer
Under the hood, Apple’s solution leverages a FIDO Alliance–backed data schema and secure local authentication APIs to ensure zero exposure of unencrypted secrets.
- Data Schema: Uses CBOR (Concise Binary Object Representation) and COSE (CBOR Object Signing and Encryption) to pack credentials—passkeys, passwords, TOTP codes—into a standardized, cryptographically protected container.
- Secure Enclave Integration: Private keys remain bound to the device’s Secure Enclave or Trusted Execution Environment. Exfiltration is impossible, even when transferring.
- User-Initiated Handshake: Transfers are triggered by Face ID, Touch ID, or a passcode prompt. A short-range BLE or peer-to-peer Wi-Fi link authenticates the target app before data exchange.
- No Disk Footprint: Unlike CSV/JSON exports, no intermediate files are ever written to disk. The payload is streamed directly between apps in memory.
Developer Integration Guide
For app and credential manager developers, Apple will expose new APIs in AuthenticationServices.framework:
- ASPasskeyExportRequest: Initialize a transfer session, enumerate stored passkeys and credentials.
- ASPasskeyImportHandler: Register your app as a recipient of inbound passkeys, validating schemas and attestation statements.
- LocalAuthentication Prompt: Hook into Face ID/Touch ID prompts to confirm user consent.
Early adopters like 1Password and Dashlane have already integrated beta support; Microsoft has signaled plans to bring similar import/export tools to Windows 11 this fall, while Google’s Android 14 preview shows experimental FIDO2 data-schema handling.
Security Implications and Expert Opinions
Security researchers applaud the move. Dr. Emma Carr of the Institute for Security and Resilience Studies notes:
“Standardizing the passkey format and securing it with proven CBOR/COSE encryption eliminates many manual steps that historically weakened credential migrations. This greatly reduces attack surface.”
Analysts at Gartner predict that by 2026, 75% of enterprise IAM (Identity and Access Management) solutions will rely on cross-platform passkey interoperability, up from under 10% today.
Future Outlook and Industry Adoption
The FIDO Alliance’s latest newsletter lists more than 30 vendors—from Okta and NordPass to Devolutions—actively testing the new schema. Microsoft and Google are expected to finalize their own workflows before year-end, promising truly ecosystem-agnostic passkey mobility.
For end users, the era of “password islands” is ending. As more platforms adopt these open standards, migrating credentials will become as effortless as sending an AirDrop photo. The result: stronger security with no compromise in convenience.