GitHub has taken another step toward ditching passwords by requiring token-based authentication for its command line interface, third-party desktop apps, and other external services that directly access repositories being hosted on its platform.
The company announced its plan to leave passwords behind in December 2020; it finally made the switch on Aug. 13. GitHub says the affected services will now have to be authenticated using personal access tokens, SSH keys, OAuth tokens, or GitHub App installation tokens. (Its first-party apps are unaffected by the change.)
GitHub isn’t the only company looking to replace passwords. Google’s been trying to ditch password-based authentication since 2013, and Microsoft’s pushed for other security mechanisms in Windows 10, too. Many others have at least encouraged their users to adopt multi-factor authentication instead of just using passwords.
Why? GitHub explained in July 2020 that it prefers tokens because they are:
- Unique – Tokens are specific to GitHub and can be generated per use or per device.
- Revocable – Tokens can can be individually revoked at any time without needing to update unaffected credentials.
- Limited – Tokens can be narrowly scoped to allow only the access necessary for the use case.
- Random – Tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be.
GitHub also announced on Aug. 16 that it partnered with Yubico to allow commits—snapshots of a repository at a specific point in time—to be signed using a physical security key such as the YubiKey, and to create a step-by-step guide to that process:
The companies worked together on some more GitHub-branded YubiKey security keys that will be available via the GitHub Shop until supplies run out. Both the YubiKey 5 NFC and YubiKey 5C NFC are still in stock at time of writing.