Google Passkey Transfer on Android: Import and Export Options Revealed
A dormant interface inside Google Password Manager on Android has been activated by researchers, exposing new settings that extend import and export options to cover passkeys alongside passwords. The discovery is the most concrete evidence yet that Google passkey transfer on Android is in active development. Android Authority reported last week that the mechanism has not been switched on for users, and Google has not confirmed the feature in public.
The timing matters. Until now, creating a passkey on Android meant committing it to Google Password Manager with no supported path out. Users who already pay for Bitwarden, 1Password, Dashlane, or any other third-party vault had no way to consolidate those credentials into their preferred manager, and no way to leave Google's system without manually recreating every passkey from scratch. For anyone who's been sitting on the fence about adopting passkeys on Android, that constraint has been a legitimate reason to wait.
Passkeys had already been used to authenticate more than a billion sign-ins across over 400 million Google Accounts, according to Google's own reporting from two years ago. That number represents a lot of credentials tied to a single manager with no exit ramp. Apple, meanwhile, has already shipped passkey transfers to third-party managers with iOS 26 and macOS 26, per Android Authority, leaving Android visibly behind on a capability that will likely become a baseline expectation.
Why the lock-in has mattered
Google confirmed in late 2024 that passkeys on Android could only be saved to Google Password Manager, not to any third-party vault, per Google's own announcement. The limitation was never about third-party managers lacking the technical groundwork. Apps like 1Password and Dashlane already use Google's own passkey management APIs on Android, Google noted in May 2024. The problem was that passkeys already sitting inside Google Password Manager had no supported exit.
That distinction is worth holding onto. The infrastructure for third-party passkey support existed. The portability layer did not.
Passkeys are roughly 50% faster than passwords at sign-in and phishing-resistant in ways that SMS one-time codes are not, according to Google. Daily usage on Google Accounts already surpasses SMS codes and authenticator app codes combined. The faster passkeys displace passwords across more accounts and services, the more expensive it becomes to be locked into a manager you'd prefer to leave or one that doesn't fit how you manage credentials across platforms.
Who feels this most sharply depends on the user. Someone who defaults to Google Password Manager and has no particular reason to switch may find the lock-in barely registers. For someone who pays for a third-party vault and wants all credentials in one non-Google system, it has been a genuine sticking point. For privacy-conscious users who would rather not have Google holding their entire authentication layer, it has been a reason to avoid passkeys on Android altogether.
Import and export passkeys on Android: what the hidden flow shows
Last week, Android Authority activated the dormant interface by making changes beneath the surface of Google Password Manager. The existing "Import passwords" and "Export passwords" settings entries were replaced by expanded versions reading "Import passwords & passkeys" and "Export passwords & passkeys," indicating that passkey portability is being actively built out, even without a public launch.
The import flow works like this: tapping the option prompts users to select which password manager currently holds their credentials, then surfaces a list of compatible apps installed on the device. Bitwarden appeared in the example shown. Selecting it routes users into that app to complete the transfer of passwords, passkeys, and other stored items into Google Password Manager, per the same report.
The export side is designed differently, and the design choice is deliberate. There is no direct "send to another app" button. Instead, the mechanism is contextual: users would be prompted to transfer their passkeys when they open a different password manager app. The handoff is app-initiated rather than file-based. There is no indication of a downloadable local file that could be intercepted or copied, which aligns with how seriously Google has built out its existing passkey security infrastructure.
That infrastructure already includes meaningful access controls. Android's Identity Check feature requires biometric authentication to access passkeys outside trusted locations, per Google's January 2025 update. Any transfer system would need to operate within that boundary. The app-initiated export design suggests Google is building with that constraint in mind rather than around it.
Compatibility appears tied to the Credential Exchange Protocol (CXP), the transfer standard underlying the feature. Only managers that have adopted CXP would be able to participate, meaning portability, when it arrives, could initially cover a subset of apps rather than every manager on the market, Android Authority noted. Google, Apple, and Samsung are among the CXP backers identified in that report. Whether smaller or independent managers have adopted the protocol is not yet clear.
What remains unknown before this ships
The gaps are considerable, and worth naming clearly.
No timeline has been confirmed. Android Authority was unable to determine when the feature might go live, and Google has not acknowledged it exists publicly. This is evidence of active development, not an imminent launch.
Several practical questions remain open. It is not yet clear whether transfers can be done in bulk or must be completed one credential at a time. Which managers beyond Bitwarden are CXP-compatible and ready to participate at launch is unknown. What specific Android version, Play Services update, or Google Password Manager release would trigger availability has not been disclosed. And what authentication the transfer flow itself will require whether a biometric step, the Google Password Manager PIN, or both has not been specified.
The PIN detail is not trivial. When Google introduced cross-device passkey syncing in late 2024, it tied access to a six-digit PIN that provides end-to-end encryption and prevents even Google from accessing stored passkeys, per that announcement. A transfer system moving those same end-to-end encrypted credentials between managers will need to handle that layer carefully. The architecture of the export flow app-initiated, not file-based suggests Google has thought about this, but the details haven't been made visible yet.
For users who have held off on passkeys specifically because of portability concerns, the hidden interface offers something real: evidence that the constraint is not permanent by design. But it has not been lifted yet. Users for whom portability is non-negotiable today are still better served by iOS, where the equivalent feature has already shipped.
The open standard argument, tested
Google helped establish passkeys as an open, cross-industry standard alongside Apple, Microsoft, and the FIDO Alliance, framing them that way since 2023. The "open standard" framing has always carried an implicit promise: that credentials built on this foundation wouldn't become proprietary data trapped inside one company's system.
A transfer mechanism that lets Android users actually move passkeys between password managers is the piece that makes that promise feel operational rather than theoretical. Without it, passkeys on Android have been open in architecture but closed in practice a distinction that matters to anyone who has to live with the consequences of credential lock-in.
How useful the feature turns out to be will come down to two things: how many managers support CXP when the transfer capability goes live, and what the authentication flow requires of users in practice. A feature available only to users of a handful of major managers, requiring multiple verification steps, will serve a narrower audience than one that covers the long tail of CXP adopters and keeps the transfer frictionless.
The hidden interface suggests Google is building toward portability. Whether the final implementation is broad enough to matter for the user who keeps their vault in a smaller manager, or who just wants a clean migration path will only become clear when Google actually ships it.
Comments
Be the first, drop a comment!