The FIDO Alliance has published updated working drafts of its specifications for secure credential exchange, which are meant to enable users to move passkeys and other digital credentials across different platforms.
Passkeys replace traditional passwords with cryptographic key pairs: a public key stored by the service and a private key kept securely on the end user’s device. When the user logs in, the device uses biometric data (like a fingerprint or facial recognition) or a PIN to unlock the private key, which then verifies their identity without sending the actual key or password over the internet.
There are two interrelated specifications pertaining to secure credential exchange. Credential Exchange Protocol (CXP) defines the process or “rules” for securely transferring credentials between two credential providers, either on the same or different devices. Credential Exchange Format (CXF) specifies the structure and format for the credentials being exchanged.
The latest Credential Exchange Protocol, dated October 3, 2024, outlines a number of important points. It supports both online and offline exchanges, leveraging the Diffie-Hellman key exchange method of cryptography to establish a secure channel between providers.
In this process, an importing provider (the destination) initiates the request, and once approved by the user or an authorizing party, the exporting provider (the source) encrypts the credentials and transmits them. The receiving provider then decrypts and stores the credentials. The protocol allows for different response modes, such as direct exchanges between providers or offline exchanges via a file, adding flexibility to suit various network conditions.
On the other hand, the Credential Exchange Format specifies the format and data structures for various credential types like passkeys, credit card details, and TOTP codes. Credentials are stored in encrypted JSON Web Encryption (JWE) files within a zip archive, ensuring that each piece of data is protected individually.
This format standardizes the way credentials are handled, preventing issues like data loss or insecure transfers during migrations between providers.
That CXF draft, too, is dated October 3, improving upon a previous draft published in May of this year.
FIDO emphasized that these remain draft specifications, and are not yet ready for full implementation. FIDO and its stakeholders are asking for further review and feedback from the community, via the FIDO Alliance’s GitHub repo.
In a statement announcing the update, FIDO credited collaborative efforts between a number of tech companies working on its Credential Provider Special Interest Group, including 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung and SK Telecom.
Source: FIDO
–
October 21, 2024 – by Alex Perala
Related News
With Billions of Accounts Supporting Passkeys, FIDO Anticipates 2025 Breakthroughs in Banking, Payments, and Travel
FIDO Unveils Agenda for Authenticate 2024 Conference
Identity News Digest – July 11, 2024
Passkeys Simplify Enrolment for Google’s ‘Advanced Protection Program’- ID Talk: Passkeys, Standards, and Selfie Certification with FIDO’s Andrew Shikiar
IDEMIA Gets World-First ISO Mobile ID Certification
Follow Us