ExpressVPN Updates ExpressKeys With Passkeys, Secure Sharing, and New Security Audit

Published
Written by:
Rachita Jain
Rachita Jain
VPN Staff Editor
Key Takeaways
  • ExpressKeys Update: Adds passkeys, secure sharing, direct imports, encrypted backups, and new vault management tools for subscribers.
  • Independent Audit: Cure53 found no High or Critical vulnerabilities after reviewing ExpressKeys' iOS and Android applications.
  • User Impact: New features improve credential security, simplify password migration, and strengthen passwordless authentication for eligible users.

ExpressVPN has announced a major update to its standalone password manager, ExpressKeys, adding support for passkeys, secure credential sharing, direct password imports, and several new account management features. The company also released the results of a new independent security assessment conducted by cybersecurity firm Cure53.

Announced on July 2, 2026, the update expands ExpressKeys' capabilities while reinforcing ExpressVPN's broader push into privacy and cybersecurity products beyond its VPN service. The new features are available to eligible ExpressVPN subscribers using ExpressKeys on iOS, Android, and supported browser extensions.

ExpressKeys Adds Passkeys and New Password Management Features

The latest update introduces full passkey support, allowing users to create, store, and manage passkeys directly within ExpressKeys.

Unlike traditional passwords, passkeys use cryptographic authentication methods such as Face ID or fingerprint verification, reducing the risk of password theft through phishing, guessing, or password reuse.

ExpressKeys also now supports secure sharing of individual vault items, including login credentials, payment cards, and secure notes. Instead of sending sensitive information through text messages or email, users can generate controlled sharing links with customizable expiration periods ranging from one hour to 30 days. They can also require email verification or configure links to expire after being viewed once.

The company says users retain control over shared items by reviewing or disabling active links within the app. Access to phone contacts remains optional, and contact information is stored only on the user's device.

Another notable addition is support for the FIDO Alliance's Credential Exchange standard, enabling users to import credentials directly from supported password managers such as Apple Passwords and Google Chrome without first creating an unencrypted export file.

The update also introduces encrypted vault backups, a Recently Deleted folder that stores removed items for 30 days, card scanning for iOS users, color-coded passwords, expanded language support, a dedicated screen for two-factor authentication codes, and swipe gestures for managing vault items. Android support for card scanning is currently under development.

Independent Cure53 Audit Found No High or Critical Issues

Alongside the feature update, ExpressVPN published a new independent security assessment of ExpressKeys conducted by Berlin-based cybersecurity firm Cure53.

According to the report, five senior security testers spent 16 days performing a white-box review of the ExpressKeys applications for iOS and Android, examining the apps' source code and how sensitive user information is encrypted, stored, and processed.

Cure53 reported that it found no High or Critical severity vulnerabilities during the assessment and described the tested components as presenting "a solid overall impression in terms of its security."

ExpressVPN stated that it addressed the issues identified during the review before Cure53 carried out a follow-up verification confirming the fixes had been implemented.

The publication of the report brings ExpressVPN's total number of publicly released independent third-party security audits to 28, according to the company.

Why the Update Matters for Privacy and Security

The latest release reflects a growing shift toward passwordless authentication and more secure credential management.

Passkeys are designed to replace traditional passwords with cryptographic credentials that are significantly more resistant to phishing attacks and credential theft. Meanwhile, secure sharing provides an alternative to sending passwords through messaging apps or email, where they can remain stored in chat histories or inboxes.

Direct credential imports also reduce the need to export password vaults as plain-text files during migration between password managers, lowering the risk of exposing sensitive information during the transfer process.

To highlight password-sharing habits, ExpressVPN also shared findings from a May 2026 survey of 6,000 football fans across the United States, United Kingdom, France, Germany, Spain, and Australia. Among respondents who had shared passwords, many reported reusing the same credentials for other accounts, including email, shopping, and banking, increasing the potential impact if those credentials were compromised.

What Users Should Do Now

Eligible ExpressVPN subscribers can update or download ExpressKeys on iOS, Android, or supported browsers to access the new features.

Users interested in improving account security may consider enabling passkeys on supported services and using the app's secure sharing feature instead of sending passwords through email or messaging platforms. Existing ExpressKeys users can also take advantage of direct credential imports, encrypted vault backups, and the new recovery tools introduced in this release.

The security assessment has also been independently verified through Cure53's published audit, providing users with additional transparency into the security of the latest version of ExpressKeys.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: