GitHub has announced the public beta of passkey authentication, offering more flexibility in how developers can authenticate onto the platform. Opting in lets developers upgrade security keys to passkeys and use them in place of both their passwords and 2FA authentication methods, the firm said. The move is GitHub’s latest step toward a passwordless future after it announced new 2FA requirements for code all contributors last May.
Passkeys are considered the modern alternative to passwords, and are generally more secure and easier to use. They are steadily being adopted by technology companies and enterprises to help raise the authentication security bar and end an over reliance on passwords, a major cause of most data breaches. In May, Google began rolling out support for passkeys across Google Accounts on all major platforms. Last year, several tech giants announced support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
Passwords the root cause of data breaches
Most security breaches are not the result of zero-day attacks but rather lower-cost attacks like social engineering, credential theft, or leakage that provide attackers with a broad range of access to victim accounts and the resources they have access to, wrote Hirsch Singhal, staff product manager at GitHub, in a blog. “In fact, passwords, which we all rely on, are the root cause of more than 80% of data breaches.”
Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, giving you a secure, private, and easy-to-use method to protect your accounts while minimizing the risk of account lockouts, Singhal added. “The best part is that passkeys bring us closer to realizing the vision of passwordless authentication – helping to eradicate password-based breaches altogether,” he added.
Passkeys on GitHub require user verification, meaning they count as two factors in one, Singhal wrote – something you are or know (your thumbprint, face, or knowledge of a PIN) and something you have (your physical security key or your device). The passkeys can be used across devices by verifying a phone’s presence, while some can also be synced across devices to ensure users are never locked out of their account due to key loss, Singhal added.
Protecting developer accounts key to securing software supply chain
“Developer accounts are frequent targets for social engineering and account takeover (ATO), and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Singhal tells CSO. Passkeys offer the strongest mix of security and reliability and make developer accounts significantly more secure without compromising access, which remains an issue with other 2FA methods like SMS, TOTP, and existing single-device security keys, he says. “Enhanced security from passkeys prevents password theft and ATO by eliminating the need for passwords.”