GitHub now supports security keys in a move away from passwords
Move to prevent account compromise for SSH Git operations


GitHub has added support for FIDO2 security keys to prevent account compromise in SSH Git operations and start moving away from solely relying on passwords, the company announced.
In a blog post, GitHub security engineer Kevin Jones said that the company was always looking for new standards that increase security and usability. GitHub users can now use portable FIDO2 devices for SSH authentication to secure Git operations against private key exposure.
"Once generated, you add these new keys to your account just like any other SSH key," said Jones. "You'll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key. "
Jones said that a private key will still be stored on a user’s computer, but this will only reference the security key device itself. If your private key file on your computer is stolen, it would be useless without the security key.
"When using SSH with a security key, none of the sensitive information ever leaves the physical security key device," added Jones. "If you're the only person with physical access to your security key, it's safe to leave plugged in at all times."
RELATED RESOURCE
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
Users were urged to remove previously registered SSH keys and use only SSH keys backed by security keys.
“Using only SSH keys backed by security keys gives you strong assurance that you are the only person pulling your Git data via SSH as long as you keep the security key safe like any other private key,” said Jones.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The move toward using security keys comes as the firm looks to avoid using traditional passwords and embrace more secure forms of authentication.
"We recognize that passwords are convenient, but they are a consistent source of account security challenges," said Jones. “We believe passwords represent the present and past, but not the future.”
He added that removing password support for Git — GitHub has already done so for its API — would “raise the baseline security hygiene for every user and organization, and the resulting software supply chain”.
To move over to using security keys, users must log in to the service and follow the instructions in its documentation to create a new key and add it to their account.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
The NCSC wants you to start using password managers and passkeys – here’s how to choose the best options
News New guidance from the NCSC recommends using passkeys and password managers – but how can you choose the best option? ITPro has you covered.
-
I love magic links – why aren’t more services using them?
Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential security
News Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrency
News The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authentication
News Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectors
News Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwords
News The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacks
News The added layer of complexity aims to keep social engineering at bay