GitHub announces passwordless authentication trial

GitHub announces passwordless authentication trial

The trial can be considered a milestone in the long demise of passwords

GitHub announced yesterday the introduction of passwordless authentication support in public beta. Users who opt-in to the beta will be able to upgrade from from security keys to passkeys.

In a blog post, GitHub's Staff Product Manager Hirsch Singhal explained how the majority of security breaches originate not from zero-day exploits or complex hacking but from rather more mundane avenues such as social engineering and credential theft. Passwords are the root cause of more than 80% of breaches.

In seeking to implement the strongest possible account security without compromising the developer community experience, that community can now access GitHub resources with passkey authentication.

The GitHub announcement is another milestone in the slow decline of passwords as a method of authentication. Nobody likes passwords. Users have to remember multiple, complex passwords and this assumes that they use different passwords for different applications. The shortcoming of passwords means that 2FA has become standard via SMS and OTP messages, but these, whilst an improvement on tokens and physical 2FA are still vulnerable to phishing or man-in-the-middle type attacks.

Passkeys use biometric data as one part of the key, with the corresponding part being stored on the hardware device, and never leaving it so it can't be intercepted. The user experience is drastically improved by no longer having to remember and key in a long, multicharacter password.

Passkeys are unique to websites, so crucially, they can't be used to track users across multiple sites. Key members of FIDO Alliance Apple, Google and Microsoft have all improved their support for passkeys this year. Google announced a passkey support rollout for Google Accounts across all its services and platforms in May and Microsoft has also enhanced its support for passkeys in Windows 11 by adding a passkey manager into Windows Hello. If you have an up-to-date iphone or Android device you're already using them.

GitHub began phasing out passwords for authenticating Git operations two years ago, and this is the latest step.

"We're excited to continue to provide more flexibility, reliability, and security in the ways you can authenticate to GitHub," Singhal added.