GitHub launches beta passwordless authentication
GitHub has announced the public beta of passkey authentication on GitHub.com, offering more flexibility in the ways that developers can authenticate onto the platform.
Passkeys combine ease of use with strong, phishing-resistant authentication, and are a step closer in moving towards the vision of a passwordless future.
"Most security breaches are not the product of exotic zero-day attacks but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to," says Hirsch Singhal, Staff Product Manager at GitHub.
"In fact, passwords, which we all rely on, are the root cause of more than 80% of data breaches.That's why GitHub is committed to helping all developers employ strong account security while staying true to our promise of not compromising their user experience.
"We began this commitment with our 2FA initiative across GitHub. Today, we are furthering this work by ensuring seamless and secure access on GitHub.com with the public beta of passkey authentication," he says.
"Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, ensuring a private, and easy-to-use method to protect accounts while minimising the risk of account lockouts.
"They bring us closer to realising the vision of passwordless authentication – helping to eradicate password-based breaches altogether."
Passkeys on GitHub.com require user verification, meaning they count as two factors in one – something users are or know (thumbprint, face, or knowledge of a PIN) and something users have (physical security key or a device). Because of this strength of authentication, GitHub doesn't need a user's password to trust that it's really the user signing in. Thanks to expanded browser support, the user's browser's autofill system can automatically suggest that the user is using the passkey to sign in, right from the login page.
Passkeys can be used on the devices they're created on as well as across devices. A new experience, known as Cross-Device Authentication, lets users use a passkey on their phone or tablet to sign in on their desktop, by verifying their phone's presence. In addition to cross-device usage, many passkeys can be synced across user devices, ensuring they are never locked out of their account due to key loss.
In addition to cross-device usage, many passkeys can be synced across devices, ensuring users are never locked out of their account due to key loss. Depending on the passkey provider, passkeys can be synced across devices automatically – so a user's iCloud account will sync passkeys from iOS to macOS, Google Password Manager syncs across Android devices, and password managers like 1Password or Dashlane can sync passkeys across installations of their password managers across any device. Expanded sync support is a work in progress for OS and browser vendors, but the core sync engines are there now.
Not all passkeys sync across devices – in user settings, GitHub shows a 'synced' label on the credentials that are reported as syncing. Depending on the user's risk model, unsynced keys may be preferred – the choice is the user's when it comes to choosing a preferred passkey setup.