iOS 26 (and OSes 26 in general) add an OS-facilitated way to securely migrate your passkeys, passwords, and other data saved in one password manager app to another. The details here are super interesting and are covered in the WWDC25 video “What's new in passkeys” (https://developer.apple.com/videos/play/wwdc2025/279). The rest of this post includes a summary of part of that video and other publicly-available information. (I am not breaking any kind of news here.)

- Data is sent from one app to the other without exporting any kind of file to a filesystem. This means it can’t accidentally be accidentally uploaded to an attacker attempting to compromise one or all of your accounts.
- There’s an OS API that password manager apps call to export their data. Then, securely and out-of-process, users select which app to send the data to. They are reminded of the scope of the data, and authentication with local biometrics or their passcode to confirm sending the data.
- The destination app is not revealed to the source app.
- Remember that crappy unstandardized CSV format for migrating passwords between password managers? It’s going to be a thing of the past, because…
- The data sendable via the API is explicitly based on the “Credential Exchange Format” (https://fidoalliance.org/specifications-credential-exchange-specifications/) standard. This standard is being developed in the FIDO Alliance, the standards body working on passkeys, but the spec covers far more than passwords and passkeys. In fact, it was co-developed by 1Password, Dashlane, and others. There’s a collection of Swift structs in the SDK implementing the standard, with as few modifications as possible.
- The data format part of the API is versioned so it can evolve as the Credential Exchange Format does.

I know it’s taken some time for this to come to fruition, but I hope that delivering a phishing-resistant credential migration process based on open standards (with a credential format standardized for the first time!) makes up for the delay. As I have said since day 1, your passkey data is yours. Passkeys are not a form of “vendor lock-in”.

Want to chat 1-on-1 with Safari and WebKit engineers during #WWDC25? Our teams are hosting labs this week — it’s your chance to ask questions, share feedback, and connect directly with the folks behind the browser.

https://developer.apple.com/wwdc25/sessions-and-labs/topics#safari-web

Requesting a lab appointment is available to members of the Apple Developer Program — if you're already a member, this is one of the best perks of the program, so I encourage you to take advantage of it!

Hope to see you there!

We have 7 videos on web technology at WWDC25!!
- What’s new in Safari and WebKit
- What’s new for the spatial web
- Learn more about Declarative Web Push
- What’s new in passkeys
- Verify identity documents on the web
- Unlock GPU computing with WebGPU
- Meet WebKit for SwiftUI

https://webkit.org/blog/16987/web-technology-videos-at-wwdc25/