Mastodawn

iOS 26 (and OSes 26 in general) add an OS-facilitated way to securely migrate your passkeys, passwords, and other data saved in one password manager app to another. The details here are super interesting and are covered in the WWDC25 video “What's new in passkeys” (https://developer.apple.com/videos/play/wwdc2025/279). The rest of this post includes a summary of part of that video and other publicly-available information. (I am not breaking any kind of news here.)

- Data is sent from one app to the other without exporting any kind of file to a filesystem. This means it can’t accidentally be accidentally uploaded to an attacker attempting to compromise one or all of your accounts.
- There’s an OS API that password manager apps call to export their data. Then, securely and out-of-process, users select which app to send the data to. They are reminded of the scope of the data, and authentication with local biometrics or their passcode to confirm sending the data.
- The destination app is not revealed to the source app.
- Remember that crappy unstandardized CSV format for migrating passwords between password managers? It’s going to be a thing of the past, because…
- The data sendable via the API is explicitly based on the “Credential Exchange Format” (https://fidoalliance.org/specifications-credential-exchange-specifications/) standard. This standard is being developed in the FIDO Alliance, the standards body working on passkeys, but the spec covers far more than passwords and passkeys. In fact, it was co-developed by 1Password, Dashlane, and others. There’s a collection of Swift structs in the SDK implementing the standard, with as few modifications as possible.
- The data format part of the API is versioned so it can evolve as the Credential Exchange Format does.

I know it’s taken some time for this to come to fruition, but I hope that delivering a phishing-resistant credential migration process based on open standards (with a credential format standardized for the first time!) makes up for the delay. As I have said since day 1, your passkey data is yours. Passkeys are not a form of “vendor lock-in”.

What’s new in passkeys - WWDC25 - Videos - Apple Developer

Discover how iOS, iPadOS, macOS, and visionOS 26 enhance passkeys. We'll explore key updates including: the new account creation API for...

Apple Developer

‘Tad’ Sander 🍉🌻Jul 12, 2025

@rmondello Oh nice! I was just mulling over moving and grumbling about the task ahead. I’ll wait. Thanks for sharing!

lj·rk Jul 12, 2025

@rmondello This is awesome! Is there some kind of public roadmap for this? There were/are a few issues which resulted in ruling out using Apple Passwords but I'd like to know whether these may be addressed in the future. E.g.,

• Password change history
• Combined saving of Passkey & Password+TOTP as "one" entry
• Better support for multiple accounts at the same service
• Linux client, at least for VMs
• A more flexible permission model for sharing credentials (e.g., read-only)
• Something like a HIBP integration

(And I don't want to nag you with each of these issues, this is your private acc after all, I just am at loss where to look :~)

mathew Jul 12, 2025

@ljrk @rmondello The thing that prevents me from switching to Apple Passwords is the lack of support for a legacy contact. That’s why I’m using BitWarden.

lj·rk Jul 12, 2025

@mathew @rmondello Yup. I'm not even of the opinion that Apple Passwords should match each and every feature, but since it's soooo much improving in the last years I'd just wish to know whether it'll be an option soon-ish ^^'

Nit Jul 15, 2025

@ljrk @rmondello history is coming in iOS and macOS 26:

https://www.macrumors.com/2025/06/13/apples-passwords-app-gains-version-history-feature/

Apple's Passwords App Gains Version History Feature

Apple's Passwords app is getting a handy new feature in iOS 26 and macOS Tahoe that should eliminate a particularly frustrating password...

MacRumors

Robert Gaugl Jul 12, 2025

@rmondello Great work! One question that’s not clear for me from the video and other info I gathered: Does it only work for exporting/importing complete password libraries or does it also work for single passkeys. Eg I want to copy one passkey from Password.app to 1Password for backup reasons.

Andrew Wade Jul 12, 2025

@rmondello @siracusa thanks! This looks super useful. Wait, did your team do this or some random on LinkedIn? 😜

Resuna Jul 12, 2025

It has the potential of becoming something that's not vendor lock-in and a potential denial of service, but I really won't be happy until it's not Apple specific, and I can export it to an encrypted file in Dropbox or on a flash drive that is in an open format that I have the source code to.

cthos 🐱Jul 12, 2025

@rmondello Implementing CXP is fantastic, but has anyone else shipped CXP support yet? Apple's implementation is the only one I've seen so far.

Shantini Jul 12, 2025

@rmondello OSes 26 is taking me out 😆

@rmondello sounds like the meme about standarts

Ralf Koller Jul 12, 2025

@rmondello does that mean it would be possible to sync passkeys between macos and ios without the need of the icloud keychain? that was the detail that held me back testing and using passkeys so far (as far as i understood its functionality). cuz i dislike if that kind of information is leaving my local network. i usually use the usb sync, syncing data between my mbp and my iphone.

Brandon Butler Jul 12, 2025

@rmondello Will the passwords App Store more types of data? For example software keys?

Eleanor Saitta Jul 12, 2025

@rmondello
I really hope this all comes true. What I've seen all far is mostly sites breaking their yubikey flows in ways that put higher-risk users at risk.

Brian Costa Jul 12, 2025

@dymaxion @rmondello Like Discord currently does, where in a User can authenticate via YubiKey on a mobile device, but not on the Desktop version of their App.

@rmondello So cool!

Carlos Solís Jul 12, 2025

This is the kind of innovation the #XDG should copy!

Jim Zajkowski Jul 12, 2025

@rmondello hey Ricky, will the 26 releases address the password UI search speed? It takes > 1 second per keydown in Safari’s popup. The Passwords app is reasonably fast, but not exactly a screamer.

Leon Cowle Jul 12, 2025

@rmondello Ricky, would this export/import also then allow for syncing between password managers (if this is a future feature, I know you can’t talk about those!)? It would be awesome to have 2 (or more?!) password managers permanently in sync with each other. Eg. to use the OS one in Safari and another one in a browser that doesn’t support the native OS one. Or one on your Apple OS syncing to a 3rd party one that can be used on your non-Apple OSes.

Felipe 🐁Jul 12, 2025

@rmondello Just watched the full video, exciting! Thank you for sharing!

blobfoxcomputer

Gracjan Nowak Jul 12, 2025

@rmondello I’m glad that the new OSes bring easy importing and exporting of passkeys and other credentials. I was confident this feature would come, but I got tired of the cynicism behind accusations that passkeys were designed for vendor lock-in. I understand that having to wait a few years for it was not ideal, but the people working on this feature simply wanted to do it right this time, instead of another half-baked solution like we had before with CSV.

Graham Ballantyne Jul 12, 2025

@rmondello This reminded me to actually file a couple of Feedbacks about some papercuts in Passwords (and/or Safari AutoFill) (1/2)

FB18803849: Passwords/Safari auto-fill: add option to not auto-submit TOTP codes. TL;DR: Safari automatically hits "submit" when filling a 2FA code, meaning that if I want to click the "remember me" checkbox that is common on these forms, I have to remember to do it first.

Graham Ballantyne Jul 12, 2025

@rmondello (2/2)

FB18803991 Allow Passwords to record more input fields: some websites require more than a username or password, such as my health insurance (requires username, group plan number, and password). Some 3rd-party password managers allow adding additional fields, usually named for the HTML input name, and will fill them. With Apple Passwords, I have to put it in the notes field, and look it up and paste whenever I log in.

Thanks, and I hope you're having a fantastic summer!

iBleedIn6Colors Jul 12, 2025

@rmondello @siracusa Apple still keep turning on iCloud Keychain with each and every update. “Accidentally”, of course. 🤐 To prevent this I needed to install a MobileConfig file… 🙄
And without handing over my passwords to Apple (aka iCloud Keychain), I’m not even able to use passkeys. 😵‍💫
Taking away choices from users is the worst thing, Apple can do. And they keep doing so.

Nicolás Alvarez Jul 15, 2025

@iBleedIn6Colors @rmondello @siracusa iCloud Keychain does not hand over your passwords to Apple. They can't see your passwords.

SnowFox Aug 19, 2025

@nicolas17 @iBleedIn6Colors @rmondello @siracusa That assumes the design is sound and that the attacker can't guess your passcode or defeat HSM security measures (both of which could be done by a government-funded attacker with access to CCTV or billions to spend on attacking HSMs).

Or even: If I go into an Apple store and need to passcode-unlock my phone then they likely have it on CCTV, and then Apple absolutely *can* read my passwords.

It's a billion times better than Google/Chrome's "password manager" (at least without a "custom sync passphrase") but it's still something I would prefer not to have to trust. It is not unreasonable to want to keep passwords somewhere that would require a search warrant in the owner's jurisdiction to access.

iBleedIn6Colors Aug 19, 2025

@snowfox @nicolas17 @rmondello @siracusa Another concern is syncing.

When using shortcuts, I constantly get prompted with “syncing conflicts”. Yes, they built a whole sheet to display it in detail and let the users decide what to do. 😵‍💫 And deleting a shortcut mostly (but not always) means I have delete it multiple times on multiple devices to finally get rid of it.

In Safari on iPhone I see “ghost tabs”, iCloud tabs from my Mac which are weeks old. Unable to delete. (1/2)

iBleedIn6Colors Aug 19, 2025

On the other hand, notes, reminders, calendar events and contacts sync like a charm. I never got prompted with a sheet complaining about conflicts with these. Once there must have been some guys at Apple who know how to implement syncing in a way that actually works.

How will passwords sync? Properly like contacts? Or will it be cumbersome like the other stuff, proudly presented by the guys who once made MobileMe and then created discoveryd? 🥴 (2/2)

John Siracusa Aug 19, 2025

@iBleedIn6Colors Apple Passwords syncs reliably for me.

iBleedIn6Colors Aug 19, 2025

@siracusa Good to know that syncing is properly working here. 👌🏻 But Apple Passwords isn’t even close to what I've been used to for years. How to store multiple passwords for a record? How to add files like login certificates or SSH keys?

But actually I’m happy with KeePassium, providing 2FA and passkey support including auto-fill for my local KeePass file - which is stored OUTSIDE KeePassium! 😍 It’s inside GoodReader and under its fire proven SMB sync. Works locally and via VPN. 150% reliable.

Brian Costa Jul 12, 2025

@rmondello One of my biggest things is will the new OSs treat 3rd party password managers as 1st class citizens as if they were the Passwords App. macOS currently does not even list them in the Auto Fill section of Settings. And iOS has a few extra hops to do while Passwords does not. Examples for iOS attached.

Torstein Jul 13, 2025

@rmondello 💪❤️

Thomas Tempelmann Jul 15, 2025

@rmondello I wonder: If I am still using systems that do not support passkeys, such as older macOS systems, should I allow websites to switch me to using passkeys? I have the impression that this will break my old style logins with those sites.

Nina "Erina" Satragno 💫Jul 15, 2025

@rmondello I'm so glad we didn't go with CREEP for the protocol name.

whereami Jul 15, 2025

@rmondello while this is impressive, it doesn’t solve many of the concerns. Sure, you can switch between vendors if you have access, but what if your password manager vendor (or OS) locks you out before you can switch, whether accidentally, intentionally, or unwillingly at the instruction of an authoritarian regime? Now you’ve lost all your accounts at once.

whereami Jul 15, 2025

@rmondello It also may not lock you into one specific vendor, but it does lock you in to using at least one of the vendors. A group of conpanies who make huge piles of money from having users store their credentials… have got together to implement a “standard” that will require users to store their credentials, and are now lobbying sites to make their users use it.

Jonathan Lang Jul 18, 2025

@rmondello that sounds awesome!
Does the standard mean Passwords.app will support more than logins? So migrating notes out of 1Password for example…

Tanner B 🆓🇵🇸Jul 20, 2025

@rmondello Hey Ricky. Do you know when I'll be allowed to create and store a passkey for my Apple ID in a third party browser?

Ricky Mondello Jul 21, 2025

@objc As soon as that becomes possible, if it ever becomes possible, I will let you know. (I very, very, very badly want it to happen.)

Tanner B 🆓🇵🇸Jul 21, 2025

@rmondello I'm just glad to know you feel the same way at the least 🙏🏻

Iljitsch van Beijnum Aug 19, 2025

@rmondello Does using passkeys still require iCloud syncing? That is a non-starter for me. (Or MacOS 26 in the first place, as they're effectively dumping Intel, even for my 2020 Mac Mini.)

Gabe Hannan Oct 9, 2025

@rmondello do you know if 1Password has implemented this to export out of their app to another one like Passwords? I cannot find any mention of it in their help docs.

Ricky Mondello Oct 9, 2025

@gabehannan I don’t think they’ve shipped this yet, no.

Ricky Mondello Oct 9, 2025

@gabehannan Knowing how on top of things they are, should only be a matter of time.