ExpressKeys rolls out major upgrades and clears a new security audit
The biggest ExpressKeys update since its standalone launch adds full passkey support, controlled item sharing, direct credential imports, card scanning, and new recovery tools. It arrives alongside a new independent Cure53 security audit, taking ExpressVPN’s published third-party audit total to 28.
- Full passkey support is now live, letting you generate, store, and manage passwordless credentials directly in your vault.
- You can share individual vault items, including logins, cards, and secure notes, through controlled links with optional email verification and one-time viewing.
- Direct imports through the FIDO Credential Exchange standard make it easier to move credentials from Apple Passwords, Google Chrome, and other major password managers.
- The iOS app can now scan physical credit and debit cards using your phone camera, with Android support in development.
- A Recently Deleted folder gives you 30 days to recover items removed by mistake.
- A new Cure53 assessment found no High or Critical severity issues and brings ExpressVPN’s published independent audit count to 28, more than any other VPN provider.
ExpressKeys is rolling out its biggest collection of new features since becoming a standalone app earlier this year. The update is designed to make it easier to move beyond traditional passwords, transfer an existing vault, share sensitive information with greater control, and recover items deleted by mistake.
Alongside the new features, Cure53 has completed an independent white-box security assessment of the ExpressKeys iOS and Android apps. Five senior testers reviewed the apps and their underlying architecture over 16 days, with full access to the source code. The assessment found no High or Critical severity issues, and Cure53 retested and verified the fixes ExpressKeys made in response to its findings. See the full report on Cure53's website.
The report brings ExpressVPN’s published independent third-party audit total to 28, more than any other VPN provider. More on the full findings below. First, here’s what’s new in ExpressKeys.
Full passkey support
The industry is gradually moving away from traditional passwords, and ExpressKeys is built for what comes next. You can now generate, store, and manage passkeys directly within the ExpressKeys apps.

Passkeys replace text passwords with cryptographic credentials, removing the need to create another memorable string that could be guessed, phished, or reused
That matters because memorable passwords are often built from personal interests. As an official supporter of the FIFA World Cup 2026™ in the U.S., Canada, and Europe, ExpressVPN recently surveyed football fans across six countries about their password habits.
In the U.S., 73% of soccer fans said their passwords would be easy to guess from their football interests, rising to 80.4% among fans aged 30 to 45. Comparable shares said the same in Australia at 63%, the UK and France at 56%, Germany at 53%, and Spain at 46%.
A passkey does not contain a club name, player nickname, shirt number, or tournament year for someone else to work out. Instead, you approve a sign-in using a cryptographic credential securely stored on your device.
Share items securely, on your terms
Sometimes another person genuinely needs access to a login, payment detail, or secure note. Sending that information through an ordinary text message or email can leave it sitting in a chat history or inbox long after it is needed.
ExpressKeys now lets you share an individual vault item through a controlled link. You choose how long the link remains active, whether the recipient must verify their email address, and whether it expires after a single view.

The controls include:
- Link expiry: Choose between one hour, one day, seven days, 14 days, or 30 days. Once the selected period ends, the link stops working.
- Access controls: Allow anyone with the link to open it, or restrict access to people invited by email. Invited recipients must verify their email address before viewing the item.
- One-time view: Turn on “can only be viewed once” and the link expires as soon as the recipient opens it, regardless of the original time limit.
- Optional contacts access: You can give ExpressKeys access to your contacts to make inviting people faster. That information remains on your device and is not stored by ExpressKeys.
Shared access can be reviewed and revoked from the original item, so you don’t need to search through a separate menu to see what you have shared.
Direct imports via the Credential Exchange standard
Switching password managers has traditionally meant exporting an entire vault into a file, checking whether the formatting is compatible, and then importing it into the new service. Depending on the provider and format, that process can leave sensitive credentials temporarily stored in an unencrypted file.
The FIDO Alliance, the industry group behind passkeys and other modern authentication standards, developed Credential Exchange to provide a more direct way to transfer passwords and passkeys between supported providers.

ExpressKeys is among the first password managers to support the new format. Users can transfer supported vault items from Apple Passwords, Google Chrome, and other major password managers without first creating a plain-text export on their device.
Scan card details with your camera
Typing sixteen digits, an expiration date, and a CVV code into a mobile device is tedious and prone to errors. Manual data entry is a relic of early mobile design, and it often discourages users from actually storing their financial information securely.

ExpressKeys is one of the first password managers to let iOS users rely on their phone’s camera to securely scan credit and debit cards. You simply point the camera at the physical card, and the app parses the text to drop the payment details directly into your vault. It completely automates the onboarding process, offering a level of convenience that removes the friction from managing financial data.
A safety net for deleted items
Accidentally deleting a login used to mean immediate damage control: locked out of an account, hunting for a recovery email, hoping the site's reset flow works. It was a disproportionate consequence for a careless swipe.

The new Recently Deleted folder fixes this. It acts as a recovery bin by holding your trashed items for 30 days, giving you a clear window to restore a credential before it is permanently wiped from the database. It's a small change that removes a significant source of anxiety from day-to-day vault management.
Everyday vault improvements
In addition to the major feature rollouts, ExpressKeys is shipping several quality-of-life updates to make navigating your vault faster and more intuitive:
- Color-coded passwords: Letters, numbers, and symbols are now visually distinct to drastically improve password readability.
- Encrypted backups: Export your entire vault as a secure, encrypted ZIP file and restore it whenever needed.
- Expanded localization: The app interface is now fully translated into multiple languages, allowing users worldwide to manage their vaults natively.
- Dedicated 2FA screen: A new, dedicated authenticator tab makes it faster to find your one-time codes.
- Swipe gestures: Quickly manage or delete vault entries with a single swipe across your screen.
Inside the new Cure53 security assessment
Cure53 spent 16 days conducting a white-box review of the ExpressKeys Android and iOS apps, with five senior testers given full access to the source code.
The assessment covered the cryptographic architecture, authentication and autofill systems, and how sensitive information is stored and transmitted on the device.
Cure53 concluded that the tested scope presented “a solid overall impression in terms of its security,” with no High or Critical severity vulnerabilities identified.
The assessment raised five vulnerabilities and seven additional recommendations. The ExpressKeys team addressed the findings, and Cure53 formally retested and verified the fixes that have shipped.
The report takes ExpressVPN’s published independent third-party audit count to 28, more than any other VPN provider. The full ExpressKeys report is available alongside our wider audit history and ISO certifications on the ExpressVPN Trust Center.
Part of the wider ExpressVPN security ecosystem
ExpressKeys is designed to provide a dedicated home for passwords, passkeys, payment information, secure notes, and two-factor authentication codes.
It sits within the broader ExpressVPN security ecosystem, alongside ExpressVPN for secure networking, ExpressMailGuard for private email routing, ExpressAI for private-by-design AI, and Identity Defender for identity protection in the U.S.
ExpressKeys is available today on iOS 18 or above, Android 13 or above, and as a browser extension for Advanced and Pro subscribers.
Survey methodology
The research was commissioned by ExpressVPN in May 2026 and conducted through online market research provider Pollfish. It surveyed 1,000 football fans in each of six markets: the United States, United Kingdom, France, Germany, Spain, and Australia.
ExpressVPN is an official supporter of the FIFA World Cup 2026™.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN