GitHub now supports FIDO2 security keys
GitHub newly provides support for using FIDO2 security keys when performing SSH Git operations to increase account protection. Two years ago, researchers at North Carolina State University (NCSU) found that after scanning about 13% of GitHub public repositories in the past 6 months, more than 100,000 GitHub repositories leaked API tokens and encryption ( SSH and TLS) keys. To make matters worse, they also discovered that thousands of new repositories are leaking security and privacy every day.
In order to further improve the anti-theft capabilities of GitHub accounts, GitHub now supports FIDO2 security keys. Users can use portable FIDO2 devices for SSH authentication to ensure the security of Git operations and prevent accidental exposure of private keys and unauthorized requests from malware.
In addition, GitHub recommends that users replace all previously registered SSH keys with SSH keys supported by secure keys, so as to ensure that users are the only ones who can manage the Git data of the project through SSH. In addition, GitHub will automatically delete inactive SSH keys (unused for more than a year) from the user’s account.
In December last year, GitHub announced that starting from August 2021, it will switch to token-based authentication, at which time account passwords will no longer be accepted for authenticating Git operations. At the same time, GitHub is also one of the first companies to switch to web authentication (WebAuthn) for two-factor authentication security keys, and is an early adopter of the FIDO Universal 2nd Factor (U2F) open authentication standard.
