GitHub Prepares to Move Beyond Passwords

GitHub Passwords
Share It On:

13th May 2021, Kathmandu

Github, a platform that provides internet hosting for software development and distributed version control, uses Git over SSH as supporting security keys.

Kevin Jones, the Github security engineer, said that this is the next step to increasing security and usability. To secure git operations and to avoid misery when private keys accidentally get lost or pilfered or when malware tries to initiate requests without user approval which is why portable FIDO2 fobs are used for SSH authentication.

YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys are easy to cart around between machines, connecting via USB, NFC, or Bluetooth. They provide an alternative to the one-time passwords provided by applications or sent via SMS so, SSH codes sent via text can be and have been intercepted.

The key keeps its secrets tucked away and out of reach; therefore, much of the data on a security key is protected from external access and modification. Those on-computer private keys are simply a reference to the physical security key, meaning they’re useless to anybody who doesn’t have the actual device in hand.

One of the factors in multi-factor authentication (MFA) is keys. Users should safeguard the devices just like any other credential. You can leave it plugged in if you’re the only one who can get at your security key. Neither malware nor accidental private-key exposure will cause any harm. Using SSH with a security key means none of the sensitive information ever leaves the physical security key device.

Existing Security Keys Can Still Be Used for Git

Users can create a public- and private key pair, but secret bits are generated and stored in the security key where public parts are stored on users’ machines like any other SSH public key.

An action that indicates “user presence” that is security key requires you to perform a gesture such as tapping to let it know you’re about to use the device to authenticate. Users can also utilize the same security key for both web and SSH authentication, given that they’re not limited to a single application and eliminates the use of 2FA when authenticating to Git.

Yet check all the authentication boxes: a strong password, enrolling in two-factor authentication, and setting up account recovery mechanisms.

(Almost) the Same SSH Keys You Already Love

Users are still able to password-protect their keys and require a security key. Previously an RSA or ed25519 key was used mostly, whereas now they have the option of using two additional key types: ecdsa-sk and ed25519-sk, where the “sk” means “security key.”

A series of steps in Github’s Documentation leads users to create and add a key that’s somewhat similar to how it’s been done before. Users can remove previously registered SSH keys and stick to the SSH keys created by the security keys as long as the only person pulling Git data keeps that security key good and safe.

Stick a Fork in Passwords: They’re Done

Password security has always been a weak spot for everyone because they always can’t seem to remember it or use it right. This new SSH security leads to a new password-less future.

Github declared that from august 13, the preceding two weeks would be used as a test period in this brave new world of no-passwords-please, where token-based authentication will be required for all authenticated API operations GitHub.com. As a result, passwords will no longer be supported for Git operations starting later this year.

As most Github users are technical, it is said that it won’t be much difficult for them to understand how the tokens and keys work, yet it may be tough as they may not want to use a more secure access method.


Share It On:

Recent Posts

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future Plans

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future

Share It On:22nd November 2024, Kathmandu Liberty Energy Company Limited is gearing up to issue rights shares starting December 1,

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Share It On:22nd November 2024, Kathmandu Asha Laghubitta Bittiya Sanstha is holding its 8th Annual General Meeting (AGM) today, November

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and Reproductive Health Policies

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and

Share It On: 21st November, Kathmandu Nepal is set to host the 6th Asian Population Conference from November 27 to

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Share It On:21st November, Kathmandu Kumari Bank Limited has officially declared its intention to sell a substantial number of promoter

Up to NPR 150 Cashback on Nepal Telecom and Ncell Services with Namaste Pay

Up to NPR 150 Cashback on Nepal Telecom and Ncell

Share It On:21st November, Kathmandu Namaste Pay has unveiled an exciting new campaign to reward its users with cashback on

Ncell introduces innovative feature, enabling customers to convert voice to data or data to voice services

Ncell introduces innovative feature, enabling customers to convert voice to

Share It On:21st November, Kathmandu Ncell customers can enjoy an innovative feature that allows them to convert or exchange remaining