GitHub announced today the introduction of passwordless authentication support in public beta, allowing users who opt-in to upgrade from security keys to passkeys.
Passkeys are associated with individual devices like computers, tablets, or smartphones and play a vital role in minimizing the likelihood of data breaches by protecting users against phishing attacks by thwarting credential theft and beach attempts.
They also enable logging into applications and online platforms using personal identification numbers (PINs) or biometric authentication methods, such as facial recognition or fingerprints.
By eliminating the need to remember and manage unique passwords for every app and website, they also vastly improve user experience and security.
GitHub's Staff Product Manager Hirsch Singhal said today that "Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method."
To activate passkeys on your account, click your profile photo in the top-right corner of any GitHub page. From there, open the 'Feature Preview' menu and click the 'Enable passkeys' option.
"The next time you sign in with [a] security key, we'll ask you if you want to upgrade it to a passkey, which will re-register it with your passkey provider," Singhal said.
"Because passkeys are privacy preserving, you might have to trigger your passkey a few times during that upgrade flow so we can make sure we're upgrading the right credential. Once you do, you're all set for a passwordless experience."
This is another step taken by GitHub to enhance software supply chain security by transitioning away from basic password-based authentication.
Today's announcement comes after GitHub made two-factor authentication (2FA) mandatory for all active developers using its platform starting March 13.
Previously, the code hosting platform gradually phased out account passwords for authenticating Git operations and introduced device verification via email.
In November 2020, GitHub disabled REST API password authentication and introduced FIDO2 security keys support to secure SSH Git operations in May 2021.
Over the years, GitHub bolstered its account security measures by implementing two-factor authentication and sign-in alerts, blocking compromised password usage, and adding WebAuthn support.
"We're excited to continue to provide more flexibility, reliability, and security in the ways you can authenticate to GitHub," Singhal added on Wednesday.
In May, Google also announced a passkey support rollout for Google Accounts across all its services and platforms to let users sign into their accounts without entering a password or using 2-Step Verification (2SV).
Last month, Microsoft expanded support for passkeys in Windows 11 by adding a built-in passkey manager for Windows Hello and making it more secure to log in using biometric authentication.
Comments
h_b_s - 10 months ago
Just another method of vendor lock in currently.
I'll do this when it's possible to use key services that aren't siloed that I can move between implementations seamlessly. Until then, over my dead body.
Also, the implementation that FIDO came up with is flawed anyway. It's not the least bit more secure than a unique randomized pass string from a competently implemented password manager, and the way many sites have been implementing passkeys entirely defeats the purpose (they're easily spoofed).