GitHub shifts away from passwords with security key support for SSH Git operations

Support has been added to bolster defense against account compromise.

GitHub has announced support for security keys to prevent account compromise in SSH Git operations.

When you add a security key to SSH operations, you can use these devices to protect you and your account from accidental exposure, account hijacking, or malware, GitHub security engineer Kevin Jones said in a blog post on May 10. 

Security keys, including the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are physical, portable dongles that implement an additional layer of security to your online services and accounts. 

Strong passwords are still important but due to the prevalence of data leaks and cyberattacks, they are becoming less effective as a single security measure -- leading to the creation of password managers that also monitor for credential exposure online, biometrics, and security keys.  

GitHub, too, wants to move away from typical passwords and to more secure authentication standards. At present, users can now use a password, personal access token (PAT), or an SSH key to access Git -- but the company intends to remove support for passwords later this year. 

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," Jones commented. "We believe passwords represent the present and past, but not the future. [...] By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain."

In order to make the transition, users need to log in and follow GitHub's documentation on how to create a new key and add it to their account, and users will find the process somewhat similar to how you would add an SSH key to an account in the past. The same security key can be used for both web and SSH authentication. 

Remote Git operations -- including push, fetch, and pull -- will require an additional key tap in an attempt to prevent malware from initiating requests on your behalf. However, if you are already locally authenticated, you can still perform operations such as branch and merge without the need to go through this step again. 

GitHub will also remove unused, inactive keys over time. 

The organization was one of the first to support FIDO Universal 2nd Factor (U2F) authentication. 

screenshot-2021-05-11-at-08-15-06.png

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0