Passkeys were supposed to solve one of passwords’ oldest problems where humans are terrible at creating and protecting secrets. I remember when the idea started gaining real momentum around 2022, and the FIDO Alliance pushed them into the mainstream.
Apple rolled them out in iOS 16, while Google brought them to Android and Chrome, and Microsoft followed across Windows and Edge.
When you sign in, a website sends a challenge that your device solves to prove it owns the private key, usually after you unlock with your fingerprint, face, PIN, or screen lock.
But they are deeply tied to whoever created them. If you created a passkey on an Android, that means Google’s Password Manager handled it, which means they're not portable. That's about to change.
Passing your passkeys to another device is going to be possible soon
Ecosystem lock-in isn’t a bad thing, until in this case, you try to leave with your digital identity. Thankfully, Google is now working on a way to let Android users move their passkeys between password managers. Your logins may soon move with you instead of staying tied to Google Password Manager.
Android Authority recently discovered the tech giant is testing the feature. They found the unfinished code inside the Password Manager and manually enabled hidden features that aren’t live for users yet.
After turning it on, they saw that Google had changed the current “Import passwords” and “Export passwords” options to “Import passwords & passkeys” and “Export passwords & passkeys”.
When they tapped “Import passwords & passkeys”, Android asked which password manager currently stores the passkeys. It then detected supported apps installed on the phone, such as Bitwarden in their test, and handed the transfer process over to that app.
Google is using a new protocol for passkey handoffs
Google seems to be using the Credential Exchange Protocol (CXP) to make passkey migration possible. Apple already supports this on iOS 26 and macOS 26.
For context, a passkey is supposed to be a cryptographic login credential that replaces passwords. It also solves the issue of a website getting hacked, and your unique combination leaking.
When you create one, it’s usually stored inside whichever system you’re using and normally isn't portable to other ecosystems. You had to log into every website again and create new passkeys one by one if you switched devices.
In comparison, a normal password is just text. You may decide to export it into a CSV file or even email it to yourself. CXP creates a secure handoff between two credential providers.
So if you decide to move your passkeys from Google Password Manager to Bitwarden, Google verifies Bitwarden is a trusted credential provider, establishes an encrypted session between the two apps, packages the credential with metadata, and transfers it directly app-to-app while keeping the private keys protected.
You may not see it yet, but it's great news given that a lot of websites still rely on usernames, passwords, SMS codes, or authenticator apps. Many banks don’t even support passkeys on their online platforms.
