GitHub has become the latest prominent service to offer passkey support, letting users login without a password.
For users that opt in, it means that passkeys will replace security keys, and will be used in place of both your password and 2FA method.
Convenience and security
Passkeys are the latest passwordless technology that have been adopted by prominent tech firms already, such as Apple, Google, and Microsoft. These along with other tech giants are board-level members of the FIDO alliance, the cross-industry association that sets the technological standards for passkeys.
Other services offer passkey support too, such as eBay, PayPal and BestBuy. Although the total number of adopters is currently quite small, it seems that uptake is slowly growing, with GitHub being the latest to support their use.
Passkeys work by storing a private cryptographic key on your device, which, when combined with the public key of the service in question, allows you to login to your account. All that is need to authenticate your identity is whatever measure you use to lock your device, such as your fingerprint or face scan, or your PIN.
As well as improving convenience, passkeys are also claimed to be more secure as they are phishing resistance – no one can extract the keys from you in social engineering campaigns as they are stored on device with zero knowledge architecture; not even the user knows what they are.
GitHub also cites the claim from the FIDO alliance that passwords are the root cause of more than 80% of data breaches, so it is argued that switching to passkeys will drastically improve the security posture of users and organizations.
GitHub has taken various steps over the years to help protect users and itself from supply chain attacks, since the software available on the site is often propagated widely to numerous organizations.
In 2021, for instance, it removed the ability to authenticate Git operations with passwords only, requiring token-based authentication, such as those offered by security keys. An in May this year, it made 2FA mandatory for developer accounts.