Portability without compromise: 1Password helps author a new standard for secure credential transfer

1Password Team

8 days ago

We’re excited to share that the FIDO Alliance has published the Credential Exchange Format (CXF) as a Proposed Standard – the first web standard co-edited by contributors from 1Password.

This milestone establishes the first common, extensible JSON format for moving credentials securely between providers. It means an end to the insecure, inconsistent CSV files that have been the only common option for migration until now. And it marks the first time 1Password has helped author a formal web standard.

CXF is designed to work alongside the Credential Exchange Protocol (CXP), which will enable the secure, encrypted transfer of these files between platforms. CXF defines what data gets exchanged while CXP will define how that exchange happens.

Why this matters

Credential portability is about more than convenience. It’s about security, choice, and trust.

Today, moving from one provider to another often means exporting sensitive data in plaintext CSV files. That’s risky for users and unmanageable at scale. Passkeys, in particular, haven’t had any safe migration path at all.

CXF and CXP solve this by providing:

A consistent format for all credential types, from passkeys and passwords to SSH keys, TOTPs, credit cards, and more.
An encrypted exchange mechanism (via CXP) that eliminates vendor lock-in.
A foundation that lets users, developers, enterprises, and governments move credentials without sacrificing security or control.

In short, CXF and CXP make true portability of these credentials possible for the first time.

How CXF works

CXF defines a standard JSON schema that any provider can use to represent credentials. Each export includes:

A header with metadata (format version, exporter ID, timestamp).
One or more accounts, which group together:

Collections (like folders or vaults).
Items, which hold credentials.

Every item can represent many types of secrets: passwords, passkeys, SSH keys, Wi-Fi credentials, API keys, and more. Each type has a standardized definition, so the data will be consistent no matter which provider exports it.

CXF also includes an extension mechanism. That means the format can evolve over time – for example, to support new sharing models – without breaking compatibility.

What’s new today

CXF was approved as a FIDO Alliance Proposed Standard in August 2025. This is the first published version (v1.0) and provides a solid foundation for providers and ecosystems to build on.

Implementations are already starting to appear:

Apple has introduced APIs for bulk importing and exporting credentials.
Google has introduced similar APIs for Android.
1Password and other FIDO members including Apple have demonstrated cross-platform passkey transfers powered by CXF.

It’s important to note that CXF only defines the format. Because the Credential Exchange Protocol (CXP) is still under development, today’s transfers are limited to local, on-device migrations. Cross-device and cross-platform exchanges will be possible once CXP is finalized and adopted by platforms.

This work is the result of industry-wide collaboration. Contributors include Dashlane, Bitwarden, Google, NordPass, Okta, Devolutions, and others, with 1Password’s René Léveillé, Nick Steele, and Max Crone among the editors.

What’s next

Publishing CXF is only step one. Work continues on the Credential Exchange Protocol (CXP), which will handle encrypted transfer across more use cases:

Device-to-device migrations.
Desktop and mobile transfers.
Secure backups and restoration.
Enterprise and government use cases with enforceable policies.

With CXF in place, the ecosystem now has a standard foundation to build on. The next step is ensuring those exchanges are safe, fast, and universal.

Closing thoughts

With the publication of CXF, migrating credentials no longer has to mean insecure plaintext files or vendor lock-in. The same portability people expect from passwords will soon apply to passkeys and every other sensitive credential.

This milestone shows what’s possible when the industry works together on open standards – and it’s just the beginning.