|GitHub Announces Passkey Authentication Beta|
|Written by Kay Ewbank|
|Friday, 14 July 2023|
GitHub has announced a public beta of passkey authentication on GitHub.com. The team says this will offer more flexibility in the ways that developers can authenticate onto the platform.
Passkeys combine ease of use with strong, phishing-resistant authentication, and GitHub says bring us a step closer to being able to avoid the use of passwords. FIDO (Fast IDentity Online) which set up a standard for passkeys, describes them as replacements for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.
The need to find an alternative to passwords comes from the statistic that passwords are the root cause of more than 80% of data breaches. GitHub has been working to find ways to ensure stronger account security, starting last year with 2FA requirements for code contributors on GitHub.com.
Passkeys on GitHub.com require user verification, meaning they count as two factors in one. One factor is you are or know such as your thumbprint, face, or knowledge of a PIN. The second factor is something you have, such as your physical security key or your device. This combination provides strong enough authentication for GitHub to be confident it's really you signing in.
GitHub says that existing security keys on an account can often be upgraded to become part of a passkey. If your security key is capable of verifying your identity (for example, Touch ID, Windows Hello, Android thumbprints, or PIN-locked or biometric hardware keys), then it’s eligible to be upgraded.
Passkeys can be used across devices using cross-device authentication, which lets you use a passkey on your phone or tablet to sign in on your desktop, by verifying your phone’s presence. You can select a previously linked device or scan a QR code with your phone, complete the sign in there, and be all signed in on your desktop. Because your phone or tablet must be physically close to your laptop or desktop, cross-device authentication retains the phishing-resistant promise of FIDO.
Unlike SMS and email , passkeys are unique per website, so they cannot be used to track a user's activities across different sites.
GitHub's passkey beta is available to join now.
or email your comment to: email@example.com