Opting in lets developers use passkeys instead of passwords and 2FA. Credit: Shutterstock GitHub has announced the public beta of passkey authentication, offering more flexibility in how developers can authenticate onto the platform. Opting in lets developers upgrade security keys to passkeys and use them in place of both their passwords and 2FA authentication methods, the firm said. The move is GitHub’s latest step toward a passwordless future after it announced new 2FA requirements for all code contributors last May. Passkeys are considered the modern alternative to passwords, and are generally more secure and easier to use. They are steadily being adopted by technology companies and enterprises to help raise the authentication security bar and end an over reliance on passwords, a major cause of most data breaches. In May, Google began rolling out support for passkeys across Google Accounts on all major platforms. Last year, several tech giants announced support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Passwords the root cause of data breaches Most security breaches are not the result of zero-day attacks but rather lower-cost attacks like social engineering, credential theft, or leakage that provide attackers with a broad range of access to victim accounts and the resources they have access to, wrote Hirsch Singhal, staff product manager at GitHub, in a blog post. “In fact, passwords, which we all rely on, are the root cause of more than 80% of data breaches.” Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, giving you a secure, private, and easy-to-use method to protect your accounts while minimizing the risk of account lockouts, Singhal added. “The best part is that passkeys bring us closer to realizing the vision of passwordless authentication – helping to eradicate password-based breaches altogether,” he added. Passkeys on GitHub require user verification, meaning they count as two factors in one, Singhal wrote – something you are or know (your thumbprint, face, or knowledge of a PIN) and something you have (your physical security key or your device). The passkeys can be used across devices by verifying a phone’s presence, while some can also be synced across devices to ensure users are never locked out of their account due to key loss, Singhal added. Protecting developer accounts key to securing software supply chain “Developer accounts are frequent targets for social engineering and account takeover (ATO), and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Singhal tells CSO. Passkeys offer the strongest mix of security and reliability and make developer accounts significantly more secure without compromising access, which remains an issue with other 2FA methods like SMS, TOTP, and existing single-device security keys, he says. “Enhanced security from passkeys prevents password theft and ATO by eliminating the need for passwords.” Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe