Covering Disruptive Technology Powering Business in The Digital Age

image
GitHub Introduces Passwordless Authentication
image

 

GitHub, the world’s largest software development collaboration platform, has announced the public beta of passkey authentication on GitHub.com. It offers developers more flexibility in the ways they can authenticate onto the platform. Passkeys combine ease of use with strong, phishing-resistant authentication and are a step closer in moving towards the vision of a passwordless future.

Hirsch Singhal, Staff Product Manager at GitHub, said: “Most security breaches are not the product of exotic zero-day attacks but rather involve lower-cost attacks like social engineering, credential theft or leakage and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to. In fact, passwords, which we all rely on, are the root cause of more than 80% of data breaches. That’s why GitHub is committed to helping all developers employ strong account security while staying true to our promise of not compromising their user experience. We began this commitment with our 2FA initiative across GitHub. Today, we are furthering this work by ensuring seamless and secure access on GitHub.com with the public beta of passkey authentication.

“Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, ensuring a private, and easy-to-use method to protect accounts while minimizing the risk of account lockouts. They bring us closer to realising the vision of passwordless authentication—helping to eradicate password-based breaches altogether,” he added.

Two Factors in One

Passkeys on GitHub.com require user verification, meaning they count as two factors in one—something users are or know (thumbprint, face or knowledge of a PIN) and something users have (physical security key or a device). Because of this strength of authentication, GitHub does not need a user’s password to trust that it is really the user signing in. Thanks to expanded browser support, the user’s browser’s autofill system can automatically suggest that the user is using the passkey to sign in, right from the login page.

Passkeys can be used on the devices they are created on as well as across devices. A new experience, known as Cross-Device Authentication, lets users use a passkey on their phone or tablet to sign in on their desktop, by verifying their phone’s presence. In addition to cross-device usage, many passkeys can be synced across user devices, ensuring they are never locked out of their account due to key loss.

Synchronisation with Other Devices

In addition to cross-device usage, many passkeys can be synced across devices, ensuring users are never locked out of their accounts due to key loss. Depending on the passkey provider, passkeys can be synced across devices automatically, so a user’s iCloud account will sync passkeys from iOS to macOS while Google Password Manager syncs across Android devices. Additionally, password managers like 1Password or Dashlane can sync passkeys across installations of their password managers across any device. Expanded sync support is a work in progress for OS and browser vendors, but the core sync engines are there now.

Not all passkeys, however, sync across devices. In user settings, GitHub shows a ‘synced’ label on the credentials that are reported as syncing. Depending on the user’s risk model, unsynced keys may be preferred—the choice is the user’s when it comes to choosing a preferred passkey setup.

Learn more about passkeys on GitHub in this blog.

(0)(0)

Archive