SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
ExpressKeys adds passkeys & sharing in major update

ExpressKeys adds passkeys & sharing in major update

Fri, 3rd Jul 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

ExpressVPN has added passkey support, item sharing and recovery tools to its ExpressKeys password manager. The update is accompanied by a new Cure53 security audit that found no High or Critical severity issues.

The release is the largest set of additions since ExpressKeys became a standalone app. New features also include direct credential imports using the FIDO Credential Exchange standard, card scanning on iOS and a Recently Deleted folder that keeps removed items for 30 days.

Passkeys are now available across the app, allowing users to generate, store and manage passwordless sign-in credentials within ExpressKeys. The change reflects a wider industry shift away from conventional passwords, which remain vulnerable to poor user choices, reuse and phishing.

ExpressVPN linked the launch to research on password habits among football fans in six countries. In Australia, 63% of respondents said their passwords would be easy to guess from their football interests, while 17% said they had shared passwords with someone else.

Sharing controls

One new tool addresses a common consumer practice: sending logins, card details or secure notes to another person. ExpressKeys now lets users share individual vault items through a link, with controls over how long access stays active, whether the recipient must verify an email address and whether the link expires after a single view.

Users can set links to expire after one hour, one day, seven days, 14 days or 30 days. They can also review and revoke shared access from the original item.

The import feature is designed to make it easier to move passwords and passkeys from other services without first exporting them to a plain-text file. ExpressKeys supports transfers from Apple Passwords, Google Chrome and other password managers that work with the Credential Exchange format.

On iOS, the app can now scan physical credit and debit cards with a phone camera and store the details in the vault. Android support for that function is still in development.

The new Recently Deleted folder is meant to reduce the impact of accidental deletions by holding removed credentials for a limited period before permanent removal. ExpressVPN also added encrypted backups, a dedicated screen for two-factor authentication codes, swipe gestures and colour-coded password displays.

Audit findings

Cure53 carried out a white-box assessment of the ExpressKeys iOS and Android apps over 16 days. Five senior testers were given full access to the source code and reviewed areas including cryptographic architecture, authentication, autofill and the handling of sensitive data on devices.

Cure53 concluded that the tested scope presented "a solid overall impression in terms of its security."

The review identified five vulnerabilities and seven additional recommendations, according to ExpressVPN. It said those findings were addressed and that Cure53 retested the fixes.

The audit brings ExpressVPN's published total of independent third-party assessments to 28, which it says is more than any other VPN provider.

Password shift

The ExpressKeys update shows how password managers are adapting as passkeys gain wider backing from large platform and browser groups. Passkeys replace memorised strings with cryptographic credentials stored on a device, removing the need for users to create a password that can be guessed or reused.

That matters for consumer-facing products because weak password behaviour remains widespread. ExpressVPN's survey of football fans in the United States, United Kingdom, France, Germany, Spain and Australia found that many users still rely on personal interests when creating passwords, making them easier to predict.

ExpressKeys is positioned as part of a broader set of consumer security tools from ExpressVPN, alongside its VPN product, email routing service, AI offering and identity protection service in the United States. The password manager is available on iOS, Android and as a browser extension for Advanced and Pro subscribers.