Opting in lets developers use passkeys instead of passwords and 2FA. Credit: Shutterstock GitHub has announced the public beta of passkey authentication, offering more flexibility in how developers can authenticate onto the platform. Opting in lets developers upgrade security keys to passkeys and use them in place of both their passwords and 2FA authentication methods, the firm said. The move is GitHub’s latest step toward a passwordless future after it announced new 2FA requirements for all code contributors last May. Passkeys are considered the modern alternative to passwords, and are generally more secure and easier to use. They are steadily being adopted by technology companies and enterprises to help raise the authentication security bar and end an over reliance on passwords, a major cause of most data breaches. In May, Google began rolling out support for passkeys across Google Accounts on all major platforms. Last year, several tech giants announced support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Passwords the root cause of data breaches Most security breaches are not the result of zero-day attacks but rather lower-cost attacks like social engineering, credential theft, or leakage that provide attackers with a broad range of access to victim accounts and the resources they have access to, wrote Hirsch Singhal, staff product manager at GitHub, in a blog post. “In fact, passwords, which we all rely on, are the root cause of more than 80% of data breaches.” Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, giving you a secure, private, and easy-to-use method to protect your accounts while minimizing the risk of account lockouts, Singhal added. “The best part is that passkeys bring us closer to realizing the vision of passwordless authentication – helping to eradicate password-based breaches altogether,” he added. Passkeys on GitHub require user verification, meaning they count as two factors in one, Singhal wrote – something you are or know (your thumbprint, face, or knowledge of a PIN) and something you have (your physical security key or your device). The passkeys can be used across devices by verifying a phone’s presence, while some can also be synced across devices to ensure users are never locked out of their account due to key loss, Singhal added. Protecting developer accounts key to securing software supply chain “Developer accounts are frequent targets for social engineering and account takeover (ATO), and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Singhal tells CSO. Passkeys offer the strongest mix of security and reliability and make developer accounts significantly more secure without compromising access, which remains an issue with other 2FA methods like SMS, TOTP, and existing single-device security keys, he says. “Enhanced security from passkeys prevents password theft and ATO by eliminating the need for passwords.” Related content opinion Employee discontent: Insider threat No. 1 CISOs who focus only on detection technology — and don’t engage with the human side of the security equation — are missing a key ingredient for insider risk management. By Christopher Burgess May 21, 2024 7 mins CSO and CISO Threat and Vulnerability Management Human Resources how-to Download the hybrid cloud data protection enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand the issues their organizations face around protecting corporate data in a hybrid cloud environment and how to By Neal Weinberg May 20, 2024 1 min Cloud Security Data and Information Security Enterprise Buyer’s Guides news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe