GitHub Leverages Passkeys to Enhance User Security
Despite the public fascination with elaborate hacking methods in movie after movie, most security breaches don’t require Mission Impossible elite hacker teams. No good old social engineering and credential theft are the real threats. Password misuse accounts for over 80% of data breaches.
With this in mind, GitHub had previously demanded developers use two-factor authentication (2FA). Now GitHub has introduced passkey authentication, the next step up in authentication security, in a public beta launch.
Passkeys augment traditional security keys by simplifying the configuration process and bolstering recoverability. They provide a secure, privacy-conscious, and user-friendly method for account protection, simultaneously reducing the risk of account lockouts. Implementing passkeys also nudges GitHub closer to the objective of passwordless authentication, which would eliminate password-based breaches entirely.
Well, that’s the hope, anyway.
Passkeys use public key cryptography for security. While you may not be familiar with the term, passkey, it’s not new. It’s just a rebranding for WebAuthn/FIDO2 credentials. You may know them as discoverable credentials, or resident credentials.
If privacy is a concern, unlike SMS and email IDs, passkeys are unique. Thus, they cannot be used to track a user’s activities across sites or platforms.
Passkeys on GitHub.com have two factors authentication (2FA) built in. They combine something you are or know (your thumbprint, face, PIN) and something you have (your physical security key or your device) baked in. Because of this strength of authentication, you don’t need a password for authentication.
Passkeys are also now widely supported by browsers. This your browser’s autofill system will automatically suggest that you use your passkey to sign in, rather than the usual ID/password combination.
In a new feature known as cross-device authentication, passkeys can be utilized across all the user’s devices. The process involves verifying your phone, tablet, or security key to sign in on a desktop while maintaining the phishing-resistant Fast Identity Online (FIDO) protocol promise.
You can activate passkeys by going to the “Settings” sidebar in their GitHub account, clicking on the “Feature Preview” tab, and selecting “enable passkeys.” Following activation, users can upgrade compatible security keys to passkeys and register new passkeys. Most modern devices support passkeys out of the box, prompting the user to set one up during sign-in.
Once activated. you can add multiple passkeys, which can be synced across devices. That’s handy, if, like me, you’ve been known to lose your key.
Depending on the passkey provider, passkeys can be automatically synced across devices. With Apple, for example, you can use iCloud Keychain to sync passkeys from iOS to macOS for iCloud accounts.
However, not all passkeys sync across devices. For example, YubiKeys, which can contain up to 25 passkeys, are “hardware bound.” This makes them fundamentally more secure, but syncable passkeys are easier to recover if you lose your security key. You just need to get another key that works with the cloud syncing service to recover their key. In other words, you must understand exactly how your passkey technology works before you commit to using it with GitHub.
You don’t need to get a new key though. You upgrade your existing security keys to passkeys, provided the key can verify the user’s identity through Touch ID, Windows Hello, Android thumbprints, or PIN-locked or biometric hardware keys. This process involves re-registering the key with the passkey provider to ensure its discoverability and synchronization during authentication.
GitHub anticipates further refining its authentication methods in response to user feedback. The company encourages users to contribute their thoughts on the new passkey feature and refers them to its documentation for additional information.