Passkeys Come to GitHub in Public Beta
- Paul Thurrott
- Jul 13, 2023
-
13
GitHub announced the availability of passkey authentication in public beta as a more seamless alternative to password and 2FA authentication.
“Passwords, which we all rely on, are the root cause of more than 80 percent of data breaches,” GitHub’s Hirsch Singhal explains. “We began helping all developers employ strong account security while not compromising their user experience with our 2FA initiative. Today, we are furthering this work by ensuring seamless and secure access on GitHub.com with the public beta of passkey authentication.”
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
GitHub announced in May 2022 that it would require all contributors to use 2FA authentication by the end of 2023, and it began rolling out this requirement this past May. I didn’t mention this in my report, but at that time, GitHub also began testing passkeys internally as an alternative to passwords and 2FA, and so that work is now available publicly to those that want to try it out early.
So why use passkeys instead of 2FA?
“Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, giving you a secure, privacy-preserving, and easy-to-use method to protect your accounts while minimizing the risk of account lockouts,” Singhal says. “Unlike SMS and email, passkeys are unique per website, so they cannot be used to track a user’s activities across different sites. The best part is that passkeys bring us closer to realizing the vision of passwordless authentication—helping to eradicate password-based breaches altogether.”
“Passkeys on GitHub.com require user verification, meaning they count as two factors in one—something you are or know (your thumbprint, face, or knowledge of a PIN) and something you have (your physical security key or your device),” he continues. “Because of this strength of authentication, we don’t need your password to trust that it’s really you signing in. Thanks to expanded browser support, your browser’s autofill system can automatically suggest that you use your passkey to sign in, right from the login page. It’s a magical experience.”
As good as all that, passkeys aren’t limited to the one device, they can be used across all of your devices. And the GitHub passkey experience isn’t limited to users who have enabled 2FA: all GitHub users can now sign in with just their passkey now.
GitHub users can check out the original blog post for instructions on how to use passkeys or upgrade a security key to a passkey. You can also learn more about GitHub passkeys on the GitHub Docs website.