Google Password Manager Gains Passkey Import/Export Support on Android

Passkeys have been gaining traction as a more secure and user‑friendly alternative to passwords. By storing a private key locally on a device and pairing it with a public key registered on a service, users can log in with a simple biometric or PIN check. The model eliminates the need to remember complex strings and mitigates phishing attacks because the private key never leaves the device.

Why Passkey Migration Matters

The biggest practical hurdle for many users is moving that private key when they switch phones. If the key stays locked to a broken or sold device, the user must re‑register on every service—a tedious process that defeats the convenience argument.

The Credential Exchange Protocol (CXP), championed by the FIDO Alliance, defines a standard way for devices to securely exchange passkeys. Apple’s iOS 16/macOS 13 ecosystem, as well as third‑party managers like Bitwarden and 1Password, already support CXP, allowing a user to scan a QR code or use a near‑field link to transfer keys between devices.

What Google Has Been Hiding

Android Authority discovered a hidden toggle inside the Google Password Manager that unlocks both an Import and an Export button for passkeys. The UI is not exposed in the stable release, but once activated it shows a straightforward flow:

1. Export – The manager creates a cryptographically sealed file containing the selected passkeys. The file can be saved locally or shared via a secure channel (e.g., encrypted Bluetooth).
2. Import – A second device can open the file, verify the encryption using the user’s biometric lock, and add the keys to its own store.

These steps mirror the CXP workflow, meaning Google has already built the underlying plumbing. The missing piece is the public UI and integration with Google Play Services, which orchestrates key exchange between password managers on Android.

Implications for the Android Ecosystem

• Broader Compatibility – Once Google releases the UI, any Android password manager that integrates with Play Services (including Samsung Pass, Motorola’s Password Vault, and third‑party apps) will inherit the same migration capability.
• Reduced Lock‑in – Users will no longer be forced to stay within a single vendor’s ecosystem to keep their passkeys. Exporting to a standard file means you could move from Google Password Manager to Bitwarden or 1Password without losing any credentials.
• Security Assurance – Because the export file is encrypted with a key derived from the device’s biometric lock, the data remains protected even if the file is intercepted. The protocol also includes a short‑lived session token to prevent replay attacks.
• Developer Signal – The hidden feature suggests Google is testing the implementation internally. Developers building password‑manager apps can start preparing for CXP support by checking the latest Play Services SDK documentation.

What to Expect Next

Google has not announced a timeline, but the presence of a functional UI indicates a rollout could appear in a future Android 15 patch or as part of a dedicated Password Manager update. Keep an eye on the Android developer blog and the Google Password Manager release notes for a formal announcement.

In the meantime, users who are comfortable with experimental features can enable the hidden toggle via the Developer Options menu (search for “Passkey migration” under the Password Manager settings). Remember that this is an unofficial method; data loss or incompatibility is possible, so back up any critical credentials before testing.

Bottom Line

Passkey adoption on Android is moving from a niche feature to a core part of the platform’s identity management. By unlocking import and export capabilities within Google Password Manager, Google is laying the groundwork for seamless, cross‑device migration and stronger competition with iOS‑centric solutions. When the feature goes public, users can finally enjoy the convenience of passkeys without fearing a device upgrade will force a painful re‑registration marathon.

Sources: Android Authority leak, FIDO Alliance specifications, Google Play Services documentation.