In an attempt to bolster the security of its developers’ accounts, GitHub has announced support for security key devices in SSH Git operations that use hardware-based two-factor authentication (2FA).
By adding a physical security key to SSH operations, GitHub users can increase their accounts’ security and protection from things like account hijacking, accidental exposure, or malware, as GitHub security engineer Kevin Jones explains in a blog post published on May 10.
Security keys are portable dongles and are available from multiple vendors like YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys.
GitHub experts say passwords are still important but are becoming less and less effective as proven by neverending password theft incidents. One attempt at solving this problem was password managers that also monitor for credential exposure online, biometrics, and security keys. But they are not bulletproof, as the recent compromise at PasswordState that took place in April demonstrated.
That’s the reason why GitHub wants to move away from passwords and use more secure authentication standards like 2FA.
For now, GitHub users can use passwords, personal access token (PAT), or an SSH keys to access Git. But the company plans to remove support for passwords sometime this year.
“We recognize that passwords are convenient, but they are a consistent source of account security challenges,” Jones commented. “We believe passwords represent the present and past, but not the future. […] By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain.”
Users are advised to follow GitHub’s documentation to create a new key and add it to their account.
Users can use one security key for both web and SSH authentication.