WebAuthn Credential Exchange Protocol (CXP) & Format (CXF)

Passkeys are quickly becoming the gold standard in online authentication - offering a secure, phishing-resistant alternative to traditional passwords. Backed by the FIDO Alliance, passkeys are built on the WebAuthn and FIDO2 standards and use public-key cryptography to eliminate the risks of credential theft.

But as adoption accelerates, a key challenge has emerged: How do you import or export passkeys between different providers - say, from Bitwarden to 1Password or from Apple iCloud Keychain to Google Password Manager?

Unlike passwords, passkeys do not have a format that can be easily exported or imported. This lack of interoperability creates friction for users and increases the risk of vendor lock-in.

That’s where two emerging standards come in:

• The Credential Exchange Protocol (CXP): defines a secure mechanism to transfer passkeys between providers.

• The Credential Exchange Format (CXF): defines a standardized data format for the credentials themselves, like passkeys, credit card details or TOTP codes.

Together, CXP and CXF are designed to make passkey portability not only possible but secure, flexible and user-friendly. In this blog post, we’ll answer the following questions:

1. What’s is the Credential Exchange Protocol (CXP) and how does it work?

2. What’s is the Credential Exchange Format (CXF) and how does it look like?

3. What’s the current state of development of Credential Exchange Protocol and Credential Exchange Format?

As more users and organizations adopt passkeys, one critical challenge remains: moving credentials between platforms. Unlike passwords, which can be exported as simple text or CSV files (insecure as that may be), passkeys rely on cryptographic key pairs. That makes import / export far more complex and far more sensitive.

Here’s what’s currently broken in passkey migration:

• No Standard Format: Unlike CSVs for passwords, passkeys don’t have a universal representation. Every provider stores them differently.

• Insecure Transfers: In some rare attempts to support migrations, credentials have been exported in unencrypted formats, creating serious security risks (see this GitHub discussion).

• Migration Failures: Without a consistent structure, migrating passkeys between providers could fail causing loss of credentials or forcing users to re-create passkeys.

• Blocked by Policy: Enterprise environments could disable credential export entirely, fearing insecure transfers or compatibility issues.

• Vendor Lock-In: Without reliable ways to export passkeys, users become locked into their current provider - something that undermines user freedom and competition.

This problem isn’t hypothetical, it’s happening now. As people use multiple devices, browsers and apps to manage passkeys, the need to import passkeys from one ecosystem and export passkeys to another becomes urgent.

That’s why major players like 1Password, Dashlane, Bitwarden and NordPass teamed up in early 2023 to prototype a solution. The result: a collaborative effort to define open standards for secure credential exchange - Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF).

To address the challenges of passkey migration, two complementary standards have emerged: the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF). Backed by industry leaders including Apple, Google, Microsoft and 1Password, these specifications aim to make importing and exporting passkeys secure, standardized and interoperable.

The Credential Exchange Protocol (CXP) is a specification that defines a secure method for transferring credentials between two credential / passkey providers. Currently a Working Draft within the FIDO Alliance, its design is still evolving, but it aims to establish a standardized and secure channel for exporting credentials from a Sender and importing them to a Recipient.

While the details are not yet final, the protocol is expected to use Hybrid Public Key Encryption (HPKE) to ensure that credentials are encrypted end-to-end during transit. This robust cryptographic foundation will protect sensitive data from being intercepted or tampered with.

CXP is envisioned to be particularly important for third-party providers, like password managers, to facilitate credential exchange between different platforms, for example between browser extensions. In these scenarios, the need for a standardized and highly secure transport protocol is critical. Because it is still in an early draft stage, its final form and timeline for standardization are uncertain, with estimates pointing to early 2026.

The Credential Exchange Format (CXF) defines how credentials themselves are structured for exchange. It is currently in Review Draft status, meaning it is close to being finalized as a standard.

Unlike CXP, which handles the secure transfer, CXF focuses exclusively on the data format. It specifies a standard JSON-based structure for different types of credentials, ensuring that a credential exported from one provider can be correctly understood by another.

CXF defines types for:

• Passkeys (public-key-credential)
• Passwords (password)
• TOTP secrets (totp)
• Notes (note)

This standardized vocabulary is the key to interoperability. For example, both Apple and Google already use CXF for transferring credentials between native apps on the same device. Because the transfer happens locally, a dedicated transport protocol like CXP is not required.

By standardizing the structure, CXF eliminates issues like format mismatches or partial data loss during migrations. It is also extensible by design, allowing new credential types to be added in future versions without breaking backward compatibility.

As of late 2024, both the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF) have reached different stages of maturity, with strong industry momentum behind them.

The development of CXP and CXF is being coordinated through the FIDO Alliance, with active contributions from major players like Apple, Google, Microsoft, 1Password, Bitwarden, and Dashlane.

This broad collaboration signals a shared commitment to making passkey portability a reality. In fact, several companies are already implementing solutions based on the drafts:

• Apple and Google will be using CXF for same-device, cross-app credential transfers.
• Third-party password managers are building prototypes based on early drafts of CXP to prepare for secure, cross-platform exchanges.

The two specifications are on different timelines:

• Credential Exchange Format (CXF) is in Review Draft. It is expected to be finalized as a formal standard before the end of 2024.
• Credential Exchange Protocol (CXP) is a Working Draft. Its path to standardization is longer, with a potential release in early 2026, as community feedback is integrated to ensure it is robust and secure for cross-platform use cases.

The draft specs are publicly available on the FIDO Alliance website, and feedback from developers is actively being encouraged to refine them before finalization.

To support early experimentation and implementation planning, the passkey ecosystem now includes:

• Passkeys Debugger: A platform that helps to debug WebAuthn requests in an understandable way.

• Passkey Community: A community of software developers and product managers discussing passkey-related questions.

• Passkey Subreddit: Dedicated subreddit to discuss news around passkeys and WebAuthn including about on CXP and CXF.

• passkeys.eu: Testing tools for developers to validate WebAuthn flows and passkey behavior

• CXP GitHub Draft: Full protocol message structure and cryptographic flow

• CXF GitHub Draft: ZIP file layout and credential packaging format

Although not yet fully standardized, CXP and CXF are clearly on track to become the final missing piece in the passkey puzzle - enabling secure, seamless import/export for users and organizations alike.

The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) were born out of a need to make passkey import and export secure and seamless. But their potential doesn’t stop there.

These standards establish a blueprint for transferring any sensitive credential between providers - securely, reliably and across platforms. That opens the door to broader use cases in identity, authentication and even government-issued credentials.

One of the biggest concerns with current passkey adoption is vendor lock-in. Without a way to move credentials securely, users are often tied to their original provider - even if their needs change.

With CXP and CXF, we move toward a truly interoperable passkey ecosystem, where users and enterprises can:

• Migrate passkeys freely between providers

• Avoid duplicate credential creation

• Simplify device and platform transitions

This directly supports consumer choice, promotes competition and strengthens trust in the passkey model.

As Christiaan Brand, Identity and Security Group Product Manager at Google, put it:

“In the future, this could apply to mobile driver's licenses, passports—any secrets that you want to export somewhere and import into another system.”

Imagine securely transferring:

• Passkeys (public-key-credential)

• TOTP secrets (totp)

• Payment details (credit-card)

• Government IDs (identity-document)

all through the same, standardized exchange mechanism. That’s the future CXP and CXF are helping shape.

With encrypted, verifiable credential exchange becoming the norm, organizations will finally be able to retire insecure CSV exports, avoid error-prone manual processes and enforce encryption-first policies for all credential handling.

Whether in the consumer space, enterprise IT or public sector identity systems, this shift raises the default security bar - without compromising on usability.

The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) represent a critical evolution in the passkey ecosystem. By addressing long-standing gaps in credential migration, they offer a secure, standardized framework for importing and exporting passkeys across different platforms and providers. While CXF standardizes the "what" (the data format) and CXP standardizes the "how" (the secure transfer), together they pave the way for true passkey portability.

With broad support from industry leaders and growing momentum in the FIDO community, these specifications are poised to remove one of the last major barriers to passkey adoption: portability.

For developers and organizations building passkey-based systems today, staying ahead of CXP and CXF is not just about future-proofing - it’s about enabling better user experiences, tighter security, and greater flexibility.

At Corbado, we’re following these developments closely and helping enterprises implement passkeys at scale - without vendor lock-in, user migration headaches or security compromises. As the ecosystem matures, we’ll be among the first to support CXP/CXF-based flows to make secure credential exchange a reality.

Passkeys are here. CXP and CXF will help them go everywhere.