In a blog post this week, Github’s Mike Hanley explained that beginning on August 13, GitHub stopped accepting account passwords when authenticating Git operations. The platform now requires people to use stronger authentication factors like personal access tokens, SSH keys, or OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com. Hanley added that in addition to ditching passwords, GitHub has taken other measures like investing in verified devices, preventing the use of compromised passwords, supporting WebAuthn and more. GitHub announced the move in December. “If you have not done so already, please take this moment to enable 2FA for your GitHub account. The benefits of multifactor authentication are widely documented and protect against a wide range of attacks, such as phishing,” Hanley said.
Better than the best password: How to use 2FA to improve your security
“There are a number of options available for using 2FA on GitHub, including: Physical security keys, such as YubiKeys. Virtual security keys built-in to your personal devices, such as laptops and phones that support. WebAuthn-enabled technologies, like Windows Hello or Face ID/Touch ID. Time-based One-Time Password (TOTP) authenticator apps Short Message Service (SMS).” Hanley added that Github was pushing users to take advantage of security keys or TOTPs instead of SMS, noting that it “does not provide the same level of protection and it is no longer recommended under NIST 800-63B.” According to Hanley, the strongest methods involve the WebAuthn secure authentication standard, some of which may even include physical security keys. “We are excited and optimistic about WebAuthn, which is why we have invested early and will continue to invest in it at GitHub,” Hanley said. Hanley went on to explain that once a user secures their account, they can also use a GPG key stored on their security key to digitally sign their git commits. Mark Risher, senior director of product management for Google’s Identity and Security Platforms, told ZDNet that they were excited to see GitHub move beyond passwords and instead opt for strong authentication for secure sign in. Google has been one of the leading companies behind the effort to make passwords a thing of the past. “Passwords alone are simply no longer enough for sensitive and high-risk activities; they’re too difficult to manage and too easy to steal,” Risher said. “Strong authentication has become not just important but essential to better protecting our accounts, so GitHub’s move is a huge step in the right direction, especially as we look toward a future without passwords.”