DEV Community

vdelitz
vdelitz

Posted on • Originally published at corbado.com

Android 17 Passkeys Get Real Portability

Android 17 continues a quiet but important shift in passkeys: making them less fragile in real-world use. The release starts rolling out to Pixel devices in June 2026, with broader availability later, and it focuses on three things that developers actually care about: credential portability, theft resistance, and stronger high-security defaults.

The big story is not a new login UI. It is that Android 17 makes passkeys easier to move, harder to steal, and more credible as a long-term authentication baseline. That matters because passkeys have always had a perception problem: users like the convenience, but many still worry that creating one means getting trapped inside a single vendor ecosystem.

Credential Exchange fixes the lock-in problem

Android 17 adds support for the FIDO Alliance Credential Exchange standard through Google Play services 26.21. Concretely, that means users can move passwords and passkeys between Google Password Manager and third-party managers like 1Password, Bitwarden, and Dashlane.

The practical improvement is simple. Instead of exporting a CSV or JSON file and hoping sensitive data does not get left behind somewhere on disk, the transfer happens directly app-to-app and is end-to-end encrypted.

At a high level, the flow works like this:

  • The user starts from either import in the destination manager or export in Google Password Manager
  • The source and destination establish a secure channel
  • The user authenticates with biometrics
  • Credentials move directly without being written to an intermediate file

That is a meaningful upgrade for passkey portability on Android. It removes a major reason users hesitate to adopt passkeys in the first place.

There is also a broader ecosystem implication here. Apple introduced similar secure import/export in iOS 26, and Android 17 now mirrors that direction with open FIDO standards. A passkey starts looking less like a proprietary artifact and more like a portable user-controlled credential.

What developers need to implement

For credential provider developers, Android 17 turns migration into a platform capability instead of a custom workaround. The relevant integration point is the ProviderEventsManager family in androidx.credentials.

The split is straightforward:

Role API What it does
Importing provider importCredentials Launches provider selection and starts the transfer
Exporting provider registerExport Registers the app as a credential source

A provider that wants to export also needs to declare a transfer activity in its manifest so the framework can route requests correctly. Under the hood, Android passes data through a content URI and includes security context such as CallingAppInfo, so the exporter can verify who is requesting the transfer. A credId is also used to validate the selected export entry.

The technical detail that matters most: the secure channel is negotiated per transfer using Diffie-Hellman key exchange, and the exported payload is formatted with Credential Exchange Format (CXF). This is not just a prettier export flow. It is a safer model for moving high-value credentials.

Android 17 also hardens the device itself

Passkeys are phishing-resistant by design, but their real security still depends on the device storing them. Android 17 addresses that with stronger theft protection.

Two changes stand out:

  1. Mark as lost in Find Hub now lets the owner lock the device with biometrics, which means even someone who knows the passcode cannot access the phone’s information or disable tracking.
  2. PIN brute-force throttling gets tighter, with fewer allowed guesses and longer delays between failed attempts.

That matters for a very specific threat model: a thief who has both the phone and an observed PIN. Android 17 narrows that gap and gives the credential store stronger protection in exactly the scenario people worry about most.

Advanced Protection keeps passkeys at the top tier

Android 17 also strengthens Advanced Protection mode, Google’s highest-security device profile. For authentication, the signal is consistent: FIDO2 credentials, whether passkeys or hardware security keys, remain the enrollment baseline, while passwords are not considered sufficient for this tier.

That is an important message for enterprise teams. Android is no longer treating passkeys as just a convenience feature. It is treating them as the security baseline for high-risk users and stronger account protection.

For adoption, the opportunity is obvious, but execution still is not automatic. Android fleets remain fragmented across OS versions, OEM variants, and Play services rollout timing. Corbado is a passkey observability and adoption platform for large B2C enterprises. One useful benchmark from the source material: VicRoads reports 80% mobile passkey activation across 5M+ users.

Read the full breakdown.

Top comments (0)