Google Password Manager Adds Passkeys, Future Export Teased

Google’s password manager within the Android operating system now supports the use of passkeys—offering users a more secure form of multi-factor authentication and even a complete alternative to traditional passwords. This advancement significantly reduces the risk of credential exposure in the event of a database breach on websites.

However, despite its growing utility, the password manager has yet to support exporting, importing, or cloud-syncing of passkeys. Consequently, if a user changes devices, performs a factory reset, or loses their device, all passkeys must be re-created individually for each service. Without a recovery method in place during passkey setup, users may be forced to contact customer support and provide identity verification documents to regain access.

In 2024, the FIDO Alliance announced the development of a cross-device and cross-platform passkey migration system. Google now appears to be working toward integrating this framework, streamlining the migration process while simultaneously implementing safeguards to prevent passkeys from being exported to potentially malicious applications.

According to a teardown by Android Authority of the Google Password Manager APK, strings related to passkey export functionality have been discovered, providing insight into how the export and import experience might look:

<code><string name="pwm_credential_export_confirmation_title">Export passwords & passkeys</string>
<string name="pwm_credential_export_no_credentials_description">You don’t have any passwords or passkeys to export from Google Password Manager for %1$s</string>
<string name="pwm_install_password_manager_dialog_text">Your device doesn’t have a password manager that supports automatically transferring your passwords and passkeys. If you already downloaded your passwords, you can try importing the CSV file.</string>
<string name="pwm_install_password_manager_dialog_title">Install a password manager</string></code>

<code><string name="pwm_import_credentials_dialog_description">Import passwords & passkeys from another password manager to Google Password manager</string>
<string name="pwm_import_credentials_dialog_instruction_1">On the next screen, choose the password manager that has your passwords & passkeys</string>
<string name="pwm_import_credentials_dialog_instruction_2">Sign in to the other password manager and follow their instructions</string>
<string name="pwm_no_credentials_imported_dialog_text">The other password manager didn’t share any passwords or passkeys.</string>
<string name="pwm_no_credentials_imported_dialog_title">Nothing imported</string></code>

<code><string name="pwm_export_credentials_blocked_importer_message">Export blocked for your protection</string>
<string name="pwm_export_credentials_blocked_importer_sub_message">The password manager you’re trying to export to doesn’t follow best practices</string></code>

To mitigate the risks of malicious misuse, Google appears to be implementing a vetting process for third-party applications that request passkey export. This measure is designed to ensure that only applications adhering to strict security standards can interact with sensitive user credentials.

Though the official rollout date remains uncertain, the inclusion of export and import capabilities will undoubtedly simplify the user experience during device transitions. Users will no longer need to unbind passkeys from each service manually before re-registering them on a new device.

Passkeys are a powerful replacement for passwords, and in some cases, simply possessing the associated email and passkey is enough to gain access to an account. Since email addresses are frequently compromised in breaches, safeguarding passkeys is critical. Unless absolutely necessary, users are strongly advised not to export passkeys—and under no circumstance should they be shared with others.

Related Posts:

• Passkeys: Microsoft’s Solution to 7,000 Password Attacks Per Second
• FIDO Alliance Unveils New Draft Specifications for Secure Credential Exchange