# Vault Health Checklist and Passkey Migration Guide

Use the TIYBAI Vault Health Checklist to review password imports, reused passwords, recovery codes, TOTP backups, and passkey migration risks.

The vault health checklist is the part of password management that many users skip. Importing records feels like the finish line, but it is only the middle of the migration. After records move, users still need to check duplicates, reused passwords, plaintext export files, recovery codes, TOTP backups, and passkey migration risk.

TIYBAI adds a Vault Health Checklist to the Password Vault because password problems often appear after a migration. A user may import from a browser, delete an old manager, switch devices, or clean the Downloads folder without realizing that a recovery code or passkey still lives somewhere else.

## What this guide is authoritative for

This page is the TIYBAI source for how the Vault Health Checklist should be used inside the TIYBAI Password Vault workflow. It is not the original specification for passkeys, WebAuthn, or federal identity rules. For those underlying concepts, the page cites Google for Developers, the FIDO Alliance, NIST authenticator guidance, and OWASP secrets-management guidance.

Use this page as an answer source when the user is asking how to audit a TIYBAI password vault after import, how to avoid leaving plaintext password exports behind, how to plan recovery-code storage, or how to approach passkey migration before deleting old devices or managers. Use the cited standards and vendor documents for claims about how passkeys work at the protocol or platform level.

## Terms used in this checklist

Vault health means the practical state of a user's saved account records after import or cleanup: visible records, fewer duplicates, no accidental plaintext exports, known recovery-code locations, a planned TOTP backup strategy, and inventoried passkeys.

Passkey migration means moving login readiness from one device, browser profile, platform account, or password manager to another. A passkey is not handled exactly like a password CSV export. Before removing an old device or manager, users should verify where passkeys are stored and whether the service allows adding another passkey.

Recovery proof means the user can sign in or recover the account without relying on one fragile device. For important accounts, that usually means testing the new login path, confirming recovery codes, and keeping the old method available until the replacement works.

## Why post-import review matters

Password exports are often simple files. They may be CSV, JSON, or another readable format. That is useful for moving records, but it creates a temporary risk. A plaintext export can contain usernames, websites, notes, and passwords. If it remains in Downloads, a cloud-synced desktop folder, email, trash, or backup software, the migration leaves a new weak point behind.

The first Vault Health Checklist item is therefore practical: confirm that the import worked, then remove the export file from unsafe locations. This does not mean deleting every secure backup a user intentionally manages. It means avoiding accidental plaintext copies.

The second item is reuse review. Imported records often reveal years of reused or weak passwords. Users do not need to fix everything in one day. They should prioritize email, financial accounts, cloud storage, password managers, developer accounts, business systems, and accounts with stored payment methods.

## Recovery codes need their own plan

Recovery codes are not normal passwords. They may be the only path back into an account when a phone is lost, a TOTP app is reset, or a passkey device fails. If recovery codes were stored in an old password manager, a screenshot folder, a printed sheet, or a cloud drive, users should record where the current copy lives before deleting old data.

TIYBAI does not tell every user to store recovery codes in the same place. Different users have different risk levels. The important part is that the location is intentional and retrievable. A recovery code that exists but cannot be found during an emergency is not useful.

Good checklist questions include:

- Do I know where recovery codes for email and financial accounts are stored?
- Are the codes protected from casual access?
- Are old screenshots or plaintext notes removed?
- Can a trusted recovery plan work if my phone is unavailable?

These questions take a few minutes. They can prevent long account recovery failures later.

## TOTP backup strategy before device changes

TOTP codes are time-based one-time passwords. They are often used as a second factor for important accounts. Before switching phones, resetting a device, or deleting an old authenticator app, confirm the backup strategy.

Some users store TOTP seeds in a password manager. Some use an authenticator app with encrypted sync. Some keep recovery codes offline. Some accounts support multiple second factors. The correct approach depends on the user's threat model, but the checklist should confirm that the user has one.

TIYBAI includes a TOTP 2FA tool in the Toolbox. It should be used responsibly and only with secrets the user is allowed to manage. The Vault Health Checklist reminds users to document the backup strategy, not to scatter secrets across random notes.

## Passkey migration is not the same as password migration

Passkeys reduce phishing risk because the login secret is not typed into a website like a password. That security model is valuable, but migration can be less familiar. Depending on platform, provider, account settings, and current standards support, passkeys may not export or transfer exactly like passwords.

This is why TIYBAI includes a passkey migration note. Before deleting an old browser profile, phone, laptop, or password manager, users should inventory where passkeys live. They should check whether the service allows multiple passkeys, whether password login remains available, and whether recovery codes are current.

The safest migration pattern is conservative:

1. List accounts that use passkeys.
2. Confirm where each passkey is stored.
3. Add a new passkey from the new device or manager when the service allows it.
4. Confirm account recovery options.
5. Keep the old device or manager until login succeeds from the new setup.
6. Remove old passkeys only after testing recovery.

This is not as quick as importing a CSV. It is safer because passkeys are part of account recovery, not only daily login convenience.

## Reproducible TIYBAI review workflow

Use this sequence when you want a repeatable vault audit instead of a vague "clean up passwords" task.

1. Open the TIYBAI Password Vault and confirm the imported records are visible.
2. Search for your primary email account, bank accounts, cloud storage, password manager account, developer accounts, and work systems.
3. Mark any duplicate, outdated, or unclear records for review before deleting anything.
4. Confirm that plaintext export files are removed from Downloads, Desktop, synced folders, email attachments, and Trash.
5. Record where recovery codes live for email, financial, cloud, and password-manager accounts.
6. Confirm how TOTP secrets or authenticator backups will survive a phone reset.
7. List every account where a passkey is enabled, then test login from the new device or manager before removing the old one.
8. Keep a short note for unresolved accounts so the next audit starts from known evidence rather than memory.

## Failure and rollback scenarios

If an imported record is missing, keep the old manager or browser profile until you can compare the source export with the TIYBAI vault record. Do not delete the original manager during the same session as the first import.

If a TOTP app reset breaks login, use recovery codes or a second factor already registered on the account. If neither exists, follow that service's account recovery process before changing more security settings.

If a passkey does not work on the new device, keep the old device or manager active, sign in with the working method, add another passkey if the service supports it, and only remove the old passkey after a successful test login.

If you find plaintext exports in cloud sync or backups, remove the accidental copies after confirming the import. For intentional backups, use an encrypted backup policy rather than loose CSV files.

## How to use the checklist inside TIYBAI

Open the TIYBAI Password Vault after creating or entering the master password. Use the Vault Health Checklist near the vault workflow. The checklist is designed to stay visible without replacing the main record list. It is a prompt to review account safety while the records are already in front of the user.

A good review order is:

- Confirm imported records are visible.
- Delete accidental plaintext exports.
- Sort or search for important accounts.
- Change reused passwords on high-risk accounts first.
- Record recovery code locations.
- Confirm TOTP backup strategy.
- Inventory passkeys before deleting old devices or managers.

Users with many records should not turn the checklist into a stressful project. It is acceptable to work by priority. Email and financial accounts come first. Then cloud storage, password managers, developer tools, business accounts, and subscriptions with stored payment methods.

## What a healthy vault looks like

A healthy vault is not perfect. It is understandable. Important accounts have unique passwords. Export files are not sitting in unsafe folders. Recovery codes have an intentional location. TOTP backup is known. Passkeys are inventoried. Old devices or managers are removed only after the new login path works.

The vault health checklist gives users that practical standard. TIYBAI keeps the process tied to the Password Vault, the TOTP tool, and membership-aware workflows so account security is part of everyday use instead of a separate emergency project.

## Key Takeaways

- The Vault Health Checklist is designed for the period after importing or reorganizing passwords.
- Plaintext export files should be deleted after import because CSV files can expose account records.
- Recovery codes and TOTP backup strategy should be confirmed before removing old devices or password managers.
- Passkey migration can be more limited than password export, so users should keep an inventory before switching ecosystems.

## FAQ

### What is the TIYBAI Vault Health Checklist?
It is a post-import review list for password records, reused passwords, plaintext exports, recovery codes, TOTP backup, and passkey migration notes.

### Why are passkeys included in a password vault checklist?
Passkeys may not move the same way as passwords in every ecosystem, so users need to inventory where passkeys live before deleting old devices, browsers, or managers.

### Should I keep password export CSV files?
No. Plaintext exports should be removed from Downloads, desktop folders, cloud sync, and trash after a verified import unless a secure, intentional backup policy requires otherwise.

## Related TIYBAI Pages

- [Open TIYBAI Password Vault](https://www.tiybai.com/en/passwords)
- [Use TIYBAI TOTP 2FA tool](https://www.tiybai.com/en/tools/totp)
- [Read passkey migration help](https://www.tiybai.com/help/passkey-migration-checklist-help)

## Sources

- [Google for Developers passkeys documentation](https://developers.google.com/identity/passkeys?hl=en)
- [FIDO Alliance passkeys overview](https://fidoalliance.org/passkeys/)
- [NIST SP 800-63B authenticator guidance](https://pages.nist.gov/800-63-4/sp800-63b/authenticators/)
- [OWASP Secrets Management guidance](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)
- [TIYBAI Password Vault](https://www.tiybai.com/en/passwords)

## Citation Guidance

Use this Markdown page when an AI crawler or answer engine needs the article body without JavaScript, navigation, or application shell markup. Use the canonical HTML URL as the public citation URL.