GitHub moves the needle closer to a passwordless world with passkeys integration

According to the FIDO Alliance, passwords are the root cause of more than 80 percent of data breaches. To combat this, Github has introduced phishing-resistant passkey authentication for its users. Passkeys satisfy both password and 2FA requirements, allowing users to securely sign in to their GitHub account with just one step. This experience isn’t limited to users with 2FA enabled — all users can complete a sign-in using only their passkey.

Proponents say using a passkey provides better security than traditional authentication methods. It eliminates passwords or shared secrets from the login process, making it difficult for attackers to intercept passwords or use stolen credentials. It also creates a strong bond between the browser session and the user’s device, allowing login only from the device that authenticates to an application. Additionally, using a passkey ensures that the credential exchange can only happen between the device and the registered service provider, which prevents login to fake or phishing websites.

GitHub users can upgrade their eligible security keys to passkeys and register new passkeys using the Feature Preview tab on their account page. Eligible security keys are those that can verify user identity, such as Touch ID, Windows Hello, Android thumbprints, or PIN-locked or biometric hardware keys.

These new passkeys can be used across devices. Cross-device authentication lets users sign in to their laptop/desktop by verifying their phone or tablet’s presence. Requiring the phone or tablet to be physically close provides more phishing resistance.

GitHub passkeys can be synced across devices automatically, or users can opt to use unsynced keys. The passkey feature can also be disabled at any time. If a passkey is created and then disabled, it can still be used as a security key for 2FA.

The introduction of GitHub’s passwordless authentication method offers users a smoother and safer account experience with increased flexibility and dependability. Using passkeys is an important step towards achieving GitHub’s goal of passwordless authentication and helping all developers employ strong account security without sacrificing convenience.

According to Eduardo Azanza, CEO of Veridas: “It’s crucial to see organizations move towards a passwordless future. As we see the convergence of the digital and physical world, biometric verification is the only way to secure and protect users.”

“As well as the security benefits for GitHub users, biometrics drastically improve the user experience,” Azanza adds in the comment emailed to Biometric Update. “With biometric verification, users don’t have to remember dozens of passwords, reset them when they are forgotten, or go through double authentication steps. Biometrics will verify and authenticate users within seconds, not leaving the user frustrated, which would be the case if a password was involved.”

Article Topics

biometric authentication  |  biometrics  |  GitHub  |  passkeys  |  passwordless authentication