Google Cautions: uBlock Origin and Other Extensions Face Potential Disabling Soon
October 15, 2024
Data Breaches in Cybersecurity: A Growing Concern
October 16, 2024
The Fast IDentity Online (FIDO) Alliance has released a draft of a new specification aimed at facilitating the secure transfer of passkeys between various service providers.
Passkeys are a password-free authentication method that utilizes public-key cryptography, allowing users to authenticate themselves without the need to remember or manage complex passwords.
According to FIDO, passkey-based sign-ins are 75% quicker and 20% more successful than traditional password-based logins, underscoring the advantages of this technology.
Despite their convenience and resilience against phishing, one of the key challenges with passkeys has been the lack of a secure method for transferring them between different platforms or service providers.
For instance, passkeys created within Google’s Password Manager couldn’t be securely moved to Apple’s iCloud Keychain, creating a ‘vendor lock-in’ or ‘device lock-in’ scenario for users switching devices or platforms.
As a result, instead of offering greater flexibility, passkeys introduced fragmentation in user experiences and security risks when attempting to transfer credentials between platforms.
Introducing standardized passkey migration
The newly proposed specification from FIDO seeks to solve the issue of secure credential transfers by establishing widely accepted standards, removing the hurdles and limitations when switching between providers.
The proposal consists of two distinct drafts: the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF).
CXP outlines a method for securely transferring credentials between providers, utilizing Diffie-Hellman key exchange and hybrid public key encryption (HPKE) to ensure the security of the data during transmission.
CXF specifies a standardized format for transferring credentials during migration, ensuring compatibility and the integrity of data. The format includes JSON within a ZIP file, with each component encrypted according to the CXP guidelines.
These drafts were developed with input from FIDO associate members and key stakeholders, including Dashlane, Bitwarden, 1Password, NordPass, and Google.
The FIDO Alliance, composed of major tech companies such as Google, Microsoft, Apple, Visa, Mastercard, PayPal, Intel, Samsung, Meta, and Amazon, aims to accelerate the adoption of passkeys, which currently protect over 12 billion online accounts.
These specifications are still in draft form and subject to revisions. Anyone interested in contributing to the development of the specifications can provide feedback via a GitHub page. The drafts will be updated over time to reflect any changes or additions, though no firm timeline has been provided for their finalization.
