A big fingerprint? Or just a very close photo?
GATHER ROUND EVERYONE, it’s time to talk about everyone’s favourite topic: internet authentication protocols. Y’see, GitHub has just had an upgrade, allowing its members to log in with the new(er) and shiny(er) Web Authentication (WebAuthn) security standard.
While the site did previously support two-factor authentication (2FA) via SMS, one-time password authentication apps and U2F security keys, the move to WebAuthn opens the door to physical security keys via Firefox, Chrome, macOS, Linux and Android.
Or, if you don’t fancy carrying a security key about your person, you can also use your laptop or phone as a security key, thanks to Windows Hello, Touch ID on Macs or Android-bound fingerprint readers. iPhones also work with Brave and the YubiKey 5Ci.
In short, it should be a bit more convenient. Sure, not as convenient as setting your password as “123456”, but significantly more secure.
“Account security is critical for GitHub,” wrote Lucas Garron, GitHub’s security engineer. “Although we support strong authentication options, many people still don’t use a password manager or two-factor authentication because individual passwords have always been the easiest choice.”
For now, security keys are secondary to other 2FA methods, but the site is mulling over making them the primary form in time.
“Because platform support is not yet ubiquitous, GitHub currently supports security keys as a supplemental second factor,” Garron wrote. “But we’re evaluating security keys as a primary second factor as more platforms support them.”
Could this be a password-free future? The risk of that approach, of course, is what happens if you get locked out of your account. The site does support some get-out clauses here, including a recovery code that appears when you set up 2FA, that can be printed out or saved in your password manager of choice. Google Authenticator and Microsoft Authenticator also let you back up your keys, should you wish. But if a user doesn’t do this, then it’s extremely tricky to prove their identity and reset an account.
In any case, it’s a good thing that GitHub is looking at this. As a repository of code, it’s a tempting target for cybercriminals who could slip all manner of nasties into application libraries used by developers. µ