IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub now supports security keys in a move away from passwords

Move to prevent account compromise for SSH Git operations

A padlock on a motherboard surrounded by keys

GitHub has added support for FIDO2 security keys to prevent account compromise in SSH Git operations and start moving away from solely relying on passwords, the company announced.

In a blog post,  GitHub security engineer Kevin Jones said that the company was always looking for new standards that increase security and usability. GitHub users can now use portable FIDO2 devices for SSH authentication to secure Git operations against private key exposure.

"Once generated, you add these new keys to your account just like any other SSH key," said Jones. "You'll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key. "

Jones said that a private key will still be stored on a user’s computer, but this will only reference the security key device itself. If your private key file on your computer is stolen, it would be useless without the security key. 

"When using SSH with a security key, none of the sensitive information ever leaves the physical security key device," added Jones. "If you're the only person with physical access to your security key, it's safe to leave plugged in at all times."

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastFree download

Users were urged to remove previously registered SSH keys and use only SSH keys backed by security keys. 

“Using only SSH keys backed by security keys gives you strong assurance that you are the only person pulling your Git data via SSH as long as you keep the security key safe like any other private key,” said Jones.

The move toward using security keys comes as the firm looks to avoid using traditional passwords and embrace more secure forms of authentication.

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," said Jones. “We believe passwords represent the present and past, but not the future.”

He added that removing password support for Git — GitHub has already done so for its API — would “raise the baseline security hygiene for every user and organization, and the resulting software supply chain”.

To move over to using security keys, users must log in to the service and follow the instructions in its documentation to create a new key and add it to their account.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Solve cyber resilience challenges with storage solutions
Whitepaper

Solve cyber resilience challenges with storage solutions

4 Jul 2022
Storage's role in addressing the challenges of ensuring cyber resilience
Whitepaper

Storage's role in addressing the challenges of ensuring cyber resilience

4 Jul 2022
Introducing IBM Security QRadar XDR
Whitepaper

Introducing IBM Security QRadar XDR

4 Jul 2022
The Total Economic Impact™ of IBM Security MaaS360 with Watson
Whitepaper

The Total Economic Impact™ of IBM Security MaaS360 with Watson

4 Jul 2022

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Latest LockBit ransomware strain 'strikingly similar' to BlackMatter
ransomware

Latest LockBit ransomware strain 'strikingly similar' to BlackMatter

4 Jul 2022