GitHub is going passwordless with new passkey support

GitHub secret scanning
(Image credit: GitHub)

GitHub has become the latest prominent service to offer passkey support, letting users login without a password.

The popular software repository, which is now owned by Microsoft, announced in a blog post on its website that the public beta for passkeys is now available. 

For users that opt in, it means that passkeys will replace security keys, and will be used in place of both your password and 2FA method.

Convenience and security

Passkeys are the latest passwordless technology that have been adopted by prominent tech firms already, such as Apple, Google, and Microsoft. These along with other tech giants are board-level members of the FIDO alliance, the cross-industry association that sets the technological standards for passkeys. 

Other services offer passkey support too, such as eBay, PayPal and BestBuy. Although the total number of adopters is currently quite small, it seems that uptake is slowly growing, with GitHub being the latest to support their use. 

Passkeys work by storing a private cryptographic key on your device, which, when combined with the public key of the service in question, allows you to login to your account. All that is need to authenticate your identity is whatever measure you use to lock your device, such as your fingerprint or face scan, or your PIN. 

As well as improving convenience, passkeys are also claimed to be more secure as they are phishing resistance - no one can extract the keys from you in social engineering campaigns as they are stored on device with zero knowledge architecture; not even the user knows what they are. 

GitHub also cites the claim from the FIDO alliance that passwords are the root cause of more than 80% of data breaches, so it is argued that switching to passkeys will drastically improve the security posture of users and organizations. 

GitHub has taken various steps over the years to help protect users and itself from supply chain attacks, since the software available on the site is often propagated widely to numerous organizations.

In 2021, for instance, it removed the ability to authenticate Git operations with passwords only, requiring  token-based authentication, such as those offered by security keys. An in May this year, it made 2FA mandatory for developer accounts.

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.