GitHub launches passkeys beta for passwordless authentication
Users can now opt-in to using passkeys, replacing their password and 2FA method
GitHub has announced the arrival of its passkeys public beta for passwordless authentication, which the company says will enable seamless and secure access on GitHub.com.
The move will allow users to upgrade their security keys to passkeys to be used in place of both passwords and two-factor authentication (2FA) to bolster overall account security.
In an announcement, the firm explained that most security breaches involve lower-cost attacks such as social engineering, credential theft, or leakage.
According to data from the FIDO Alliance, the team behind the global authentication standard based on public key cryptography, passwords are estimated to be the root cause of over 80% of data breaches globally.
To tackle this, GitHub said its new passkeys bring easier configuration and enhanced recoverability, providing a secure and private way to protect accounts and minimize the risk of lockouts.
“GitHub is committed to helping all developers employ strong account security while staying true to our promise of not compromising their user experience,” said Hirsch Singhal, staff product manager at GitHub. “We began this commitment with our 2FA initiative across GitHub.
“Today, we are furthering this work by ensuring seamless and secure access on GitHub.com with the public beta of passkey authentication.”
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Users can implement passkeys via the ‘Feature Preview’ tab in the settings sidebar, which now displays an option to ‘enable passkeys’. This will enable the option to upgrade eligible security keys to passkeys, as well as register new passkeys.
How GitHub passkeys work
The new passkeys essentially count as two security layers in one, combining a user element such as a thumbprint, face, or knowledge of a PIN, with a physical element such as a security key or device.
Due to expanded browser support, GitHub said a browser’s autofill system can automatically suggest that users use their passkey to sign in straight from the login page – regardless of whether a user has 2FA enabled.
RELATED RESOURCE
The state of email security 2023
Discover how leaders are protecting their organizations from cyber attacks in the face of increases in email usage.
Passkeys can also be used across more than just the device they were created on, thanks to a new experience labeled ‘Cross-Device Authentication’.
This allows the use of a passkey on a phone to sign into a laptop, for example, by verifying the phone’s presence.
“Because your phone or tablet must be physically close to your laptop or desktop, Cross-Device Authentication retains the phishing-resistant promise of FIDO,” Singhal said.
Additionally, many passkeys can be synced across multiple devices to help prevent account lock-out due to key loss. This can be done automatically, depending on passkey provider, GitHub said.
How to upgrade
Existing user security keys that are capable of verifying identity – such as Touch ID, Windows Hello, Android thumbprints, or PIN-locked or biometric hardware keys – are eligible to be upgraded.
Upon next sign in with the security key, GitHub will ask users if they would like to upgrade to a passkey. This will then re-register the security key with the user’s passkey provider to ensure it is discoverable during authentication and synced. Up-to-date devices support passkeys straight out of the box.
“Because passkeys are privacy-preserving, you might have to trigger your passkey a few times during that upgrade flow so we can make sure we’re upgrading the right credential,” Singhal said. “Once you do, you’re all set for a passwordless experience.
“By registering durable, secure credentials across all your devices, we hope to prevent account lockouts due to device loss,” Singhal added.
Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.
A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.
He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.
-
Cisco sounds alarm over new Russian malware campaign hitting firms in US and EuropeNews UAT-11795 is weaponizing legitimate software such as WebEx and Zoom to dupe victims
-
Why doesn't more data produce better results?ITPro Podcast Riverbed CIO Fernando Castanheira talks about data and how businesses can use it better
-
1Password teams up with Anthropic to give Claude access to your credentialsNews A new ‘zero-exposure’ security framework allows agents to use stored credentials in the 1Password vault
-
We need to do something about passwordsPasswords are a fundamental aspect of access security, but recent password leaks have undermined their ability to protect data
-
Dashlane lifts the lid on attack that saw hackers download encrypted user vaultsNews The company said it has now informed all affected customers, and taken action to shut down the operation
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Law enforcement and security firms take down huge PhaaS platformNews Tycoon 2FA has been responsible for tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking