Secrets 4.4: Credential Exchange

Posted by Paulo on February 11, 2025

Version 4.4 introduces a couple of new features and various bug fixes:

• Credential Exchange API – Enables seamless password and passkey transfers
• Password Character Indices – Helps users quickly identify required password characters

The first feature is particularly important for the portability of your passwords and passkeys, as it relates to a new API Apple introduced in iOS 18.2 and macOS 15.2. The other is a long-requested quality-of-life improvement.

Credential Exchange

As expected, passkey adoption has been slow but steady. One major issue preventing some users from adopting them is that neither Apple’s Passwords app nor many password managers offer an option to export them, making it harder to switch platforms or password managers.

Secrets, on the other hand, has always allowed users to export any passkeys it stored. However, since no other password manager could import them, this feature was primarily useful for backups rather than migrations.

The good news is that the FIDO Alliance has been working on a standard to address this issue, and Apple has shipped its initial implementation in iOS 18.2 and macOS 15.2.

The new “Credential Exchange” specification not only defines how passkeys should be exported and transferred, but it also encompasses other types of credentials, such as traditional username/password pairs.

This is significant because it not only solves the problem of transferring passkeys but also establishes a common platform for moving secrets between password managers. As of this writing, Secrets supports importing items exported from eight different password managers. That requires a lot of code and reverse engineering to handle mostly undocumented file formats.

With this new API, password managers that adopt it will become compatible with each other. Additionally, because no file transfers are involved, the process is both easier and more secure for users.

Here's how simple transferring data from the Passwords app to Secrets will be.

This new API is still a work in progress. Currently, it supports passkeys, username/password pairs, one-time passwords, credit cards¹, and notes. However, support for file attachments, for example, is still missing.

Additionally, given the preview nature of this API, Apple still has it behind developer toggles:

• In iOS or visionOS, open the Settings app and enable the Settings > Developer > Credential Exchange switch.
• In macOS, enter the following command in Terminal:

  defaults write com.apple.AuthenticationServices.Developer CredentialExchangeEnabled -bool YES
  

I personally believe this API is crucial for the health and openness of the industry and hope other password managers adopt it. Broader adoption will accelerate testing and validation, allowing Apple to remove these developer toggles sooner rather than later.

Password Character Indices

Although not very common, some websites — particularly banks — ask for only a subset of your password’s characters instead of the entire password. Each time you log in, the website will request three or four randomly selected characters from your password by specifying their positions (e.g., the 1st, 4th, and 9th characters).

Until now, you had to reveal your password in Secrets and manually count the characters to determine which ones to enter. With this update, Secrets makes the process easier by giving you the option to display the index of each character beneath your password.

After revealing a password, a new “Show Indices” option appears. Selecting this will display the indices, making it easier to pick out the correct characters when logging in.

This update makes Secrets more powerful and user-friendly. We hope you find these improvements useful! 🚀

Footnotes

1. Although the API supports credit cards, the Passwords app can't import or export them. Other password managers can however. ↩