GitHub has become the latest prominent service to offer passkey support, letting users login without a password.
For users that opt in, it means that passkeys will replace security keys, and will be used in place of both your password and 2FA method.
Convenience and security
Passkeys are the latest passwordless technology that have been adopted by prominent tech firms already, such as Apple, Google, and Microsoft. These along with other tech giants are board-level members of the FIDO alliance, the cross-industry association that sets the technological standards for passkeys.
Other services offer passkey support too, such as eBay, PayPal and BestBuy. Although the total number of adopters is currently quite small, it seems that uptake is slowly growing, with GitHub being the latest to support their use.
Passkeys work by storing a private cryptographic key on your device, which, when combined with the public key of the service in question, allows you to login to your account. All that is need to authenticate your identity is whatever measure you use to lock your device, such as your fingerprint or face scan, or your PIN.
As well as improving convenience, passkeys are also claimed to be more secure as they are phishing resistance - no one can extract the keys from you in social engineering campaigns as they are stored on device with zero knowledge architecture; not even the user knows what they are.
GitHub also cites the claim from the FIDO alliance that passwords are the root cause of more than 80% of data breaches, so it is argued that switching to passkeys will drastically improve the security posture of users and organizations.
GitHub has taken various steps over the years to help protect users and itself from supply chain attacks, since the software available on the site is often propagated widely to numerous organizations.
In 2021, for instance, it removed the ability to authenticate Git operations with passwords only, requiring token-based authentication, such as those offered by security keys. An in May this year, it made 2FA mandatory for developer accounts.
- Want to have access to your passkeys cross-platform? Then you'll need to use the best password manager
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers.
His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.
He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.