GitHub launches passkeys beta for passwordless authentication

GitHub has announced the arrival of its passkeys public beta for passwordless authentication, which the company says will enable seamless and secure access on GitHub.com.

The move will allow users to upgrade their security keys to passkeys to be used in place of both passwords and two-factor authentication (2FA) to bolster overall account security.

In an announcement, the firm explained that most security breaches involve lower-cost attacks such as social engineering, credential theft, or leakage. 

According to data from the FIDO Alliance, the team behind the global authentication standard based on public key cryptography, passwords are estimated to be the root cause of over 80% of data breaches globally.

To tackle this, GitHub said its new passkeys bring easier configuration and enhanced recoverability, providing a secure and private way to protect accounts and minimize the risk of lockouts.

“GitHub is committed to helping all developers employ strong account security while staying true to our promise of not compromising their user experience,” said Hirsch Singhal, staff product manager at GitHub. “We began this commitment with our 2FA initiative across GitHub. 

“Today, we are furthering this work by ensuring seamless and secure access on GitHub.com with the public beta of passkey authentication.”

Users can implement passkeys via the ‘Feature Preview’ tab in the settings sidebar, which now displays an option to ‘enable passkeys’. This will enable the option to upgrade eligible security keys to passkeys, as well as register new passkeys.

How GitHub passkeys work

The new passkeys essentially count as two security layers in one, combining a user element such as a thumbprint, face, or knowledge of a PIN, with a physical element such as a security key or device.

Due to expanded browser support, GitHub said a browser’s autofill system can automatically suggest that users use their passkey to sign in straight from the login page – regardless of whether a user has 2FA enabled.

Passkeys can also be used across more than just the device they were created on, thanks to a new experience labeled ‘Cross-Device Authentication’. 

This allows the use of a passkey on a phone to sign into a laptop, for example, by verifying the phone’s presence.

“Because your phone or tablet must be physically close to your laptop or desktop, Cross-Device Authentication retains the phishing-resistant promise of FIDO,” Singhal said.

Additionally, many passkeys can be synced across multiple devices to help prevent account lock-out due to key loss. This can be done automatically, depending on passkey provider, GitHub said. 

How to upgrade

Existing user security keys that are capable of verifying identity – such as Touch ID, Windows Hello, Android thumbprints, or PIN-locked or biometric hardware keys – are eligible to be upgraded.

Upon next sign in with the security key, GitHub will ask users if they would like to upgrade to a passkey. This will then re-register the security key with the user’s passkey provider to ensure it is discoverable during authentication and synced. Up-to-date devices support passkeys straight out of the box.

“Because passkeys are privacy-preserving, you might have to trigger your passkey a few times during that upgrade flow so we can make sure we’re upgrading the right credential,” Singhal said. “Once you do, you’re all set for a passwordless experience.

“By registering durable, secure credentials across all your devices, we hope to prevent account lockouts due to device loss,” Singhal added.