GitHub has introduced passkey authentication in its public beta, providing developers with increased flexibility when authenticating onto the platform. By opting in to this feature, developers can upgrade their security keys to passkeys and use them instead of both passwords and 2FA authentication methods. This move by GitHub represents another step towards a passwordless future, following the company’s announcement of new 2FA requirements for all code contributors in May.
Passkeys are considered the modern alternative to passwords, offering higher levels of security and ease of use. Technology companies and enterprises are increasingly adopting passkeys to improve authentication security and reduce dependence on passwords, which are a major cause of data breaches. In May, Google began rolling out support for passkeys across all major platforms. Additionally, several tech giants announced their support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
Passwords have long been identified as the root cause of data breaches. The majority of security breaches are not the result of sophisticated zero-day attacks, but rather lower-cost attacks like social engineering, credential theft, or leakage. These types of attacks provide attackers with broad access to victim accounts and the resources associated with them. In fact, passwords are responsible for over 80% of data breaches, according to Hirsch Singhal, staff product manager at GitHub.
Passkeys improve upon traditional security keys by offering easier configuration and enhanced recoverability. They provide a secure, private, and easy-to-use method for protecting accounts while minimizing the risk of account lockouts. Passkeys bring us closer to achieving passwordless authentication, which aims to eradicate password-based breaches altogether.
Passkeys on GitHub require user verification, meaning they serve as two factors in one. This includes something the user is or knows (such as a thumbprint, face, or PIN) and something the user has (such as a physical security key or device). Passkeys can be used across devices by verifying the presence of a user’s phone. Some passkeys can also be synced across devices to prevent users from being locked out of their accounts in case of key loss.
Protecting developer accounts is crucial for securing the software supply chain. These accounts are frequently targeted for social engineering and account takeover attacks. Implementing passkeys significantly enhances the security and reliability of developer accounts without compromising access. Other 2FA methods like SMS and TOTP, as well as existing single-device security keys, often present access challenges. Passkeys prevent password theft and account takeover by eliminating the need for passwords.
GitHub’s introduction of passkey authentication in its public beta reflects the industry-wide effort to move towards a passwordless future. This shift aims to reduce the risks associated with password-based breaches and improve the overall security of user accounts. By providing developers with the option to upgrade their security keys to passkeys, GitHub is taking an important step in this direction. The increased flexibility and enhanced security offered by passkeys can benefit both developers and users alike, ensuring a more secure authentication process on the platform.