FIDO Alliance Introduces CSP & CXF: A New Way of Sharing Passkeys Securely

• FIDO Alliance, an open industry association, is working on a new way to share passkeys safely.
• Traditionally, passwords have been transferred through a CSV file. However, since it's not encrypted, passwords could easily be compromised during the transfer.
• FIDO has launched new specifications CXP and CXF to transfer passkeys securely with encryption.

A new standardized way to securely transfer your passkeys is here: CXP and CXF.

Previously, the only way to transfer passwords was through a CSV file. However, this was a risky affair. Why? Well, because there was no encryption. Without any encryption, threat actors could easily compromise and steal passwords during such transfers.

That's no longer the case, though. FIDO (Fast Identity Online) Alliance has introduced new specifications, known as Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) to securely transfer passkeys.

How Does the New Process Work?

The passkeys are encrypted in a CXF file and then the CXP is used to transfer it. This way, you can transfer your passwords from one password manager to another without worrying about security or compatibility.

However, the specifications are currently in the working draft phase, open to feedback and community review. The first draft has already been published (on October 14). Once the specifications are finalized, they'll be available for all password managers.

This project is the result of a collaboration between the FIDO Alliance's Credential Provider Special Interest Group. This also includes representatives from well-known tech companies and password managers, such as 1Password, NordPass, Bitwarden, Google, Microsoft, and Samsung. They have promised to implement the specifications as soon as they are released.

About FIDO Alliance & PasskeysThe FIDO identifies itself as an open industry association with the sole purpose of reducing our dependence on passwords and offering more security and privacy to users.

That's why, in 2022, it introduced passkeys: a passwordless way to log into your accounts.

Sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second factor like SMS one-time-password (OTP)," the Alliance said.

What Are Passkeys?

Passkeys are a relatively new method of authentication. It consists of a pair of cryptographic keys: a public key that's stored on the server and a private key that's stored on the user's device.

When you try to log in using your private key, your device signs a challenge issued by the server using it. Next, the server verifies the sign using the public key.

This process makes passkeys much safer than regular passwords. Today, more than 12 billion online accounts are using passkeys.

However, transferring them has typically been complicated because there were no standardized means to do it. But if this new specification is approved, this hurdle will be gone for good.

Read more: How long does it take to crack a 12-character password?

The post FIDO Alliance Introduces CSP & CXF: A New Way of Sharing Passkeys Securely appeared first on Techreport.