GitHub now supports security keys in a move away from passwords

News
By published

Move to prevent account compromise for SSH Git operations

A padlock on a motherboard surrounded by keys

GitHub has added support for FIDO2 security keys to prevent account compromise in SSH Git operations and start moving away from solely relying on passwords, the company announced.

In a blog post, GitHub security engineer Kevin Jones said that the company was always looking for new standards that increase security and usability. GitHub users can now use portable FIDO2 devices for SSH authentication to secure Git operations against private key exposure.

"Once generated, you add these new keys to your account just like any other SSH key," said Jones. "You'll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key. "

What are SSH keys? Google Chrome makes it easier to fix weak passwords Businesses could ditch passwords for new cryptographic key system Government moves to ban weak default passwords on IoT devices

Jones said that a private key will still be stored on a user’s computer, but this will only reference the security key device itself. If your private key file on your computer is stolen, it would be useless without the security key.

"When using SSH with a security key, none of the sensitive information ever leaves the physical security key device," added Jones. "If you're the only person with physical access to your security key, it's safe to leave plugged in at all times."

RELATED RESOURCE

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

FREE DOWNLOAD

Users were urged to remove previously registered SSH keys and use only SSH keys backed by security keys.

“Using only SSH keys backed by security keys gives you strong assurance that you are the only person pulling your Git data via SSH as long as you keep the security key safe like any other private key,” said Jones.

The move toward using security keys comes as the firm looks to avoid using traditional passwords and embrace more secure forms of authentication.

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," said Jones. “We believe passwords represent the present and past, but not the future.”

He added that removing password support for Git — GitHub has already done so for its API — would “raise the baseline security hygiene for every user and organization, and the resulting software supply chain”.

To move over to using security keys, users must log in to the service and follow the instructions in its documentation to create a new key and add it to their account.

Rene Millman
Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.

More about security
Businessman hand pointing finger to growth success finance business chart of metaverse technology financial graph investment diagram on analysis stock market background with digital economy exchange.

Global security spending continues to rise
ServiceNow signage pictured during the Singapore FinTech Festival in Singapore, on Wednesday, Nov. 15, 2023.

Old ServiceNow vulnerabilities could cause havoc for unpatched customers
The creator effect: Shaping the future of travel

The creator effect: Shaping the future of travel
See more latest
Most Popular
Jensen Huang, co-founder and chief executive of Nvidia pictured on stage at Nvidia GTC 2025 holding two GPUs.
Nvidia GTC 2025: Four big announcements you need to know about
Businessman hand pointing finger to growth success finance business chart of metaverse technology financial graph investment diagram on analysis stock market background with digital economy exchange.
Global security spending continues to rise
Women in tech concept image showing female tech worker sitting at desk working on desktop computer.
Imposter syndrome is pushing women out of tech
Jensen Huang, co-founder and chief executive officer of Nvidia, pictured during a news conference at the Nvidia GPU Technology Conference (GTC) in San Jose, California, US.
‘This is the first event in history where a company CEO invites all of the guests to explain why he was wrong’: Jensen Huang changes his tune on quantum computing after January stock shock
ServiceNow signage pictured during the Singapore FinTech Festival in Singapore, on Wednesday, Nov. 15, 2023.
Old ServiceNow vulnerabilities could cause havoc for unpatched customers
Soft skills concept image showing informal staff meeting in an open plan office environment with workers having a discussion.
AI skills training can't be left in the hands of big tech
Oracle CloudWorld Tour sign pictured at the company event in London, UK.
AI agent announcements are a dime a dozen right now – here’s what Oracle thinks it’s doing differently
Close-up shot of data centers servers in red, black, and light blue colors.
Server sales are skyrocketing – and growth shows no sign of slowing down
SonicWall logo and branding pictured on a smartphone screen.
SonicWall pins ‘transformational year’ on strong partner growth
Antonio Neri, chief executive officer of Hewlett Packard Enterprise Co. (HPE), bottom left, and Jensen Huang, co-founder and chief executive officer of Nvidia Corp., during a keynote address at the HPE Discover event at the Sphere in Las Vegas, Nevada, US, on Tuesday, June 18, 2024.
HPE unveils Mod Pod AI ‘data center-in-a-box’ at Nvidia GTC