How to Transfer Passwords and Passkeys on Android with Credential Exchange
Android can finally move passwords and passkeys between Google Password Manager and apps like Bitwarden and 1Password without a risky CSV file.
For years, moving your saved logins off of Android meant exporting a plain-text CSV file full of your passwords. That changed with the June 2026 Google Play services update, which adds support for the new Credential Exchange standard. You can now move both passwords and passkeys between Google Password Manager and third-party apps without ever writing a sensitive file to disk. The handoff is encrypted end-to-end, app-to-app, and it finally lets passkeys travel, something CSV never could.
Quick answer
Update Google Play services to version 26.21 or later, then start the transfer from either end: choose Import passwords and passkeys in the destination app (Bitwarden, 1Password, Dashlane) or Export passwords and passkeys in Google Password Manager. The handoff runs app-to-app, end-to-end encrypted with HPKE, so no plain-text CSV is ever written to disk, and for the first time your passkeys move intact. You authenticate with your device unlock to release credentials, and Google blocks exports to apps that fail its security checks.
Key takeaways
- Credential Exchange replaces CSV exports with an encrypted, app-to-app transfer, no plain-text file ever touches your storage.
- It is built on two FIDO Alliance standards: the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF).
- Passkeys move intact for the first time, since CSV could never represent cryptographic key pairs.
- It arrived with Google Play services 26.21, rolling out from June 1, 2026.
- A built-in guardrail blocks exports to apps that fail Google's security checks ("Export blocked for your protection").
What Credential Exchange actually is
Credential Exchange is built on two new open specifications from the FIDO Alliance: the Credential Exchange Protocol (CXP) and its companion data format, the Credential Exchange Format (CXF). Together they define a secure, standardized way for one password manager to hand credentials to another.
The important part is how the transfer happens. Instead of generating a CSV that sits unprotected in your Downloads folder, the handoff is end-to-end encrypted using Hybrid Public Key Encryption (HPKE) and occurs app-to-app on the device. Neither the source manager nor any intermediary can read the data while it is in motion, and the sensitive material is never written to a file that malware, a backup, or a nosy app could later read.
Note
This feature became official with Google Play services version 26.21, which began rolling out on June 1, 2026. Make sure your Play services are up to date before you try it.
Why CSV exports were a problem
The old CSV route had two big weaknesses. First, the file was completely unencrypted, so anyone who got hold of it had every password in clear text. Second, CSV could not represent passkeys at all. Passkeys are cryptographic key pairs, not strings, so there was simply no safe, standard way to carry them between managers. Credential Exchange solves both issues at once.
Here is how the old and new transfer methods stack up:
| Factor | Old CSV export | Credential Exchange (CXP/CXF) |
|---|---|---|
| Encryption | None; plain text on disk | End-to-end with HPKE, app-to-app |
| File written to storage | Yes, readable by anyone | No file ever written |
| Passkeys | Cannot be represented | Move intact |
| Cross-manager portability | Manual, lossy | Standardized via FIDO specs |
| Safety guardrail | None | Blocks exports to untrusted apps |
This matters more every year as passkeys go mainstream. If you are still mostly on passwords, our guide to setting up passkeys in 2026 walks through making the switch on each major platform first.
What you need before you start
To use the new transfer flow, confirm the following:
- Your device is running a current version of Google Play services (26.21 or later).
- Both the source and the destination app support the Credential Exchange standard. Google Password Manager supports it, and third-party managers including 1Password, Bitwarden, and Dashlane have been adding support.
- You have your device unlock method ready, since the system will ask you to authenticate before releasing credentials.
How to transfer your credentials
The flow is intentionally simple and is driven by the apps themselves rather than a buried settings menu. You can start from either end, choose Import passwords & passkeys in the destination manager, or Export passwords & passkeys inside Google Password Manager.
Importing into a third-party manager
- Open the password manager you want to move your logins into (Android Authority confirmed the flow working with Bitwarden).
- Choose the option to import or transfer passwords and passkeys. Supported apps surface this during setup or in their import section.
- Pick the source app and approve the transfer, authenticating with your device unlock or biometric when prompted.
- The credentials are pulled directly from Google Password Manager over the encrypted, app-to-app channel.
Exporting from Google Password Manager
The reverse direction works the same way. When a supported app requests credentials, Android coordinates the encrypted handoff and asks you to confirm. Because everything moves through CXP, your passkeys travel intact instead of being left behind.
Tip
Run the transfer over a stable connection and keep both apps updated. If the destination app does not appear as an option, it has not yet shipped Credential Exchange support, so check for an app update first.
The built-in safety net
Google added a guardrail so you cannot accidentally hand your vault to a sketchy app. The system will block exports to apps that do not meet its security standards, showing a message that reads "Export blocked for your protection." If you see that warning, it means the target app failed Google's checks, not that you did something wrong. Stick to well-known, reputable managers and you should not run into it.
Warning
Treat a credential transfer like a vault migration. Only initiate it from apps you trust, and verify you are importing into the correct manager before approving. Once the transfer completes, audit the destination vault to confirm everything arrived.
Why this matters
Passkeys were designed to replace passwords with phishing-resistant cryptographic logins, but their biggest practical weakness has been lock-in: if you could not move them, switching password managers meant abandoning them. Credential Exchange removes that friction. Because the standard is built on open FIDO specs, a passkey created on Android can later live in any compliant manager, including Apple's, which also implements CXP. You can now choose a manager based on features and trust rather than on which credentials you would be forced to leave behind.
Portability is one half of credential hygiene; the other is knowing when your logins have leaked in the first place. Our walkthrough on checking whether your data was breached covers the monitoring side.
Frequently asked questions
Is Credential Exchange more secure than a CSV export?
Far more. The transfer is end-to-end encrypted app-to-app and never writes an unencrypted file to disk, unlike CSV, which leaves every password in plain text in your Downloads folder.
Can I move passkeys, not just passwords?
Yes. That is the headline improvement. CSV could not represent passkeys, but the Credential Exchange Format carries them intact between managers.
Which apps support it?
Google Password Manager supports it, and 1Password, Bitwarden, and Dashlane have been adding support. If a manager does not appear as an option, update it first.
What does "Export blocked for your protection" mean?
It means the destination app failed Google's security checks. The block is a safety feature, not an error on your part. Use a reputable, well-known manager instead.
Bottom line
If you have been putting off a switch because exporting felt dangerous, the June 2026 update finally gives you a safe, standardized path. Update Google Play services to 26.21 or later, open your preferred manager, and let the encrypted handoff move both your passwords and your passkeys without ever exposing them in a file.
Sources & further reading
- androidauthority.com/google-password-manager-import-export-support-3673351/
- heise.de/en/news/Android-Google-simplifies-secure-transfer-of-passkeys-and-passwords-11316295.html
- fidoalliance.org/mobileidworld-google-developing-passkey-transfer-feature-for-android-password-manager/
- androidpolice.com/new-cxf-password-export/
- corbado.com/blog/credential-exchange-protocol-cxp-credential-exchange-format-cxf
