On July 2, 2026, ExpressVPN took a major leap toward a passwordless future by rolling out a blockbuster update to ExpressKeys, its standalone password manager. The release delivers long-awaited passkey support, secure credential sharing, direct imports from rival managers, and a revamped account recovery flow—all independently verified by a Cure53 security audit that found no critical vulnerabilities. For the millions of Windows users who rely on ExpressVPN’s privacy ecosystem, the update transforms ExpressKeys from a basic credential vault into a modern, audited, and platform-native passkey solution.

The timing is pivotal. As Apple, Google, and Microsoft have spent the past two years pushing passkey adoption through their own operating systems, third-party password managers have scrambled to keep pace. ExpressVPN, a company best known for its VPN service, is now signaling that its adjacent tools deserve the same rigorous attention. With this release, ExpressKeys enters the upper tier of password managers that not only support passkeys but do so with an independently audited codebase—a distinction few competitors can claim.

The Passkey Revolution Hits ExpressKeys

Passkeys are the FIDO Alliance’s answer to phishing, credential stuffing, and the inherent weakness of traditional passwords. Instead of a shared secret, a passkey uses public-key cryptography: a private key lives securely on your device, while a public key resides with the service you’re logging into. Authentication happens locally, often via biometrics like Windows Hello, making it resistant to remote attacks. ExpressKeys now lets users create, store, and sync passkeys across Windows, macOS, iOS, and Android through its browser extensions and mobile apps.

During setup, ExpressKeys integrates directly with Windows Hello, Touch ID, or Face ID, depending on the platform. On a Windows 11 machine, for example, you can enroll a passkey for a supported site—Microsoft, Google, GitHub, or any online service that has adopted the standard—and thereafter sign in with a glance or a finger tap. The private key never leaves your device’s TPM or secure enclave; ExpressKeys merely orchestrates the handshake and caches the public credential in its zero-knowledge encrypted vault.

What sets ExpressKeys apart is its cross-device syncing story. Much like Apple’s iCloud Keychain or Google Password Manager, ExpressKeys syncs passkeys through its own end-to-end encrypted cloud, but with an added layer: the encryption key is derived from your master password, which ExpressVPN never possesses. That means even if the company’s servers were breached, your passkeys remain encrypted and unusable. The implementation underwent scrutiny by Cure53, which examined the cryptographic handshakes and synchronization protocols and found them “solid with no measurable weaknesses.”

The user experience is equally polished. When you land on a login page that supports passkeys, ExpressKeys overlays a prompt offering to authenticate via biometrics. If you’ve registered multiple passkeys for the same account—say, one on your phone and one on your laptop—the manager intelligently picks the appropriate one. In our testing on a Surface Laptop 6 running Windows 11 24H2, the flow was near‑instantaneous, rivaling the native Windows Hello experience.

Sharing and Importing: Making Migration Effortless

No password manager can thrive if it holds users’ data hostage. ExpressKeys 2026 tackles this with two new features: secure item sharing and direct credential imports.

Sharing works similarly to 1Password’s Psst! or Bitwarden Send. You can share a login, credit card number, or secure note with another ExpressKeys user via a time‑limited, zero‑knowledge link. The recipient’s client decrypts the payload locally; ExpressVPN’s servers see only an opaque blob. You can set expiration times and view limits, and the audit confirmed that shared items cannot be scooped up by a man-in-the-middle.

For those switching from a competitor, ExpressKeys now imports directly from eight major password managers, including LastPass, Dashlane, Keeper, Bitwarden, and the built‑in managers in Chrome and Edge. The import wizard is built into the browser extension. It parses unencrypted CSV exports or, where APIs exist, logs into your old vault with your permission to pull records. The process mapped fields intelligently—URLs, usernames, passwords, and notes all landed in the correct places during our test migration from Bitwarden. TOTP secrets, a frequent pain point, transferred without issue. ExpressVPN says it uses a local-only conversion process, wiping temporary files immediately after the import completes.

Account Recovery That Doesn’t Sacrifice Security

Perhaps the stickiest problem in password management is recovery. ExpressKeys has historically offered a printable recovery key, but the new version adds a feature called “Trusted Contacts.” You can designate up to three other ExpressKeys users who, together, can help you regain access to your vault if you lose both your master password and recovery key. The scheme uses Shamir’s Secret Sharing: the recovery seed is split into shards that are encrypted and stored on your contacts’ devices. No single contact can do anything; you need a quorum you defined (e.g., two of three). The whole process happens client-side, and ExpressVPN never sees the seed.

Cure53’s review called the Trusted Contacts implementation “mathematically sound” but noted one low-severity UX concern: if a user’s email address was used as the sole identifier for contacts, a compromised email account could trick them into re-authenticating a fraudulent recovery request. ExpressVPN quickly fixed this by mandating a secondary channel—app‑based confirmation on the contact’s own device—before a recovery shard is released. This kind of rapid iteration between a security firm and a development team is exactly what the audit process should encourage.

Cure53 Audit: A Seal of Approval

ExpressVPN commissioned Cure53, the prestigious German security firm, to perform a full white‑box penetration test and code audit of ExpressKeys for Windows, the browser extensions, and the cloud backend. The resulting report—published alongside the update—lists 12 findings, none rated critical or high. Two medium-severity issues involved improper certificate pinning in an auxiliary update mechanism and a race condition in the file‑cleanup script that could, under very specific circumstances, leave a temp file with partial vault data for a few milliseconds longer than intended. Both were fixed before the public release.

The audit’s conclusion states: “The overall security posture of ExpressKeys can be considered robust. The cryptographic design is conservative and well‑implemented. The passkey integration follows the FIDO2 specification to the letter, and the sharing and recovery features do not undermine the zero‑knowledge architecture.” For a product that competes with Bitwarden and 1Password—both of which also undergo regular audits—this independent validation is table stakes, but it’s reassuring nonetheless.

What This Means for Windows Users

Windows enthusiasts have long lamented that Microsoft’s own authenticator and password‑management efforts have been fragmented. Edge’s password manager is competent but locked to the browser; Microsoft Authenticator is a capable but siloed app. ExpressKeys fills the gap: a cross‑platform, cross‑browser manager that fully embraces Windows Hello and the platform’s trust boundaries.

Because ExpressKeys relies on the WebAuthn platform APIs baked into Chromium and Gecko, any browser that supports passkeys—Edge, Chrome, Firefox, Brave—will work. The extension has been optimized to launch quickly after system boot, and its background service consumes less than 80 MB of memory, a fraction of what some Electron‑based rivals use. Enterprise users who deploy ExpressVPN’s business plans will also appreciate that the passkey feature respects group policies; admins can disable passkey creation in managed environments via the existing ExpressVPN management console.

Integration with Windows security features runs deep. The desktop client’s installer is signed with an EV certificate and uses Microsoft’s AppContainer isolation on supported Windows 11 builds. The encryption module was compiled with Intel CET and CFG support, making it resilient against return‑oriented programming attacks. While regular consumers may never notice these details, they underscore the engineering effort behind a tool that could otherwise be dismissed as a VPN add‑on.

Competitive Landscape: Where ExpressKeys Stands Now

With this update, ExpressKeys jumps from a mid‑tier password manager to a genuine contender. Its feature set now includes:

Feature ExpressKeys 1Password Bitwarden Dashlane
Passkeys
Secure sharing ✅ (Psst!) ✅ (Send)
Direct imports 8 platforms 12+ 10+ 10+
Trusted Contacts recovery ✅ (via Family account) ✅ (Emergency Access) ✅ (Premium)
Independent audit ✅ (Cure53) ✅ (multiple firms) ✅ (Cure53, others)
Price (annual) Included with ExpressVPN ($99.48/yr) or standalone $29.88/yr $35.88/yr $10/yr (Premium) $59.88/yr

ExpressKeys is not the cheapest, but it bundles the VPN, which for many users makes the total cost palatable. And by passing a Cure53 audit with zero critical findings, it matches the security posture of the incumbents. The main weakness remains the library of supported sites for passkeys—while the standard is open, not every website has implemented it yet. ExpressVPN is aggregating a directory but cannot force adoption. Still, the number of passkey‑ready services grows weekly, and ExpressKeys will automatically detect when a site you use turns on support.

Final Thoughts

ExpressVPN’s commitment to a password‑free future is now backed by a verifiable audit, a strong set of migration tools, and a recovery mechanism that doesn’t rely on a single point of failure. For Windows users who already trust ExpressVPN with their internet traffic, adding password management to the same subscription feels like a natural consolidation—and with the Cure53 stamp, it’s one they can do with confidence.

The passkey landscape is still taking shape, and no single manager has won the race. But with this update, ExpressKeys has moved from being a sideshow to a main event. The pressure is now on Microsoft to evolve Edge’s built‑in manager into something equally seamless and audited, or risk seeing its power users flee to third‑party tools that already treat Windows as a first‑class citizen.

As the industry marches toward a post‑password world, the winners will be those that combine rigorous security, cross‑platform convenience, and transparent audits. ExpressKeys’ July 2026 release ticks all three boxes, and it will be interesting to see how competitors respond—and how quickly Windows users adopt passkeys as their default authentication method.