GitHub previews passkeys for no-password authentication, but some would-be adopters struggle

By Tim Anderson
-
GitHub previews passkeys for no-password authentication, but some would-be adopters struggle
Stolen credentials

GitHub has introduced passkeys as a passwordless option for signing into its web application, currently in beta.

According to Staff Product Manager Hirsch Singhal, passwords are the “root cause of more than 80 percent of data breaches,” and supporting passkeys will help to “eradicate password-based breaches altogether.” The Microsoft-owned company is already pushing 2-factor security, with enforced enrolment for some groups of users such as those contributing code to critical open source libraries, but Singhal said that passkeys “build on the work of traditional security keys by adding easier configuration and enhanced recovery.”

The “easier configuration” aspect has not been true for all early adopters. “Chrome 114.0.5735.199 (latest public) is not passkey compatible? Pretty sure it should be but its showing me incompatible browser,” said one such person, the problem being that Windows passkey support is hooked to the Hello feature which is not always available. A read through of the initial feedback shows a number of complications, with one comment noting that the option to store a passkey on a device like a YubiKey hardware key can cause them to run out of the (very limited) storage, which can make them of little use, particularly with older keys that lack the ability to delete resident keys.

We had a mixed experience. An initial test with Windows gave the dreaded message “this browser or device does not support passkeys.” On a Mac though we successfully added a passkey using Apple’s Touch ID. This then also worked with an iPhone thanks to Apple’s iCloud Keychain. Returning to Windows, we were able to log in using the iPhone by scanning a QR code with the iPhone camera, a technique called cross-device authentication.  

This device does not support passkeys … but it does, with cross-device authentication

Developers wishing to try the beta can find it in GitHub under Feature Preview, by clicking their username in the GitHub web application. Once enabled, the option will then appear under Settings – Password and authentication.

Enabling passkey sign-in is done via a feature preview option

A handy tip from Singhal is that if the passkey option does not appear when logging in, it can be forced to do so by using an url argument https://github.com/login?passkey=true.

Passkeys are based on the WebAuthn W3C standard and promoted by the W3C and the FIDO Alliance. The technology was introduced in early 2022 as multi-device FIDO credentials with the term passkey introduced to most people in May 2022 by Microsoft, Apple and Google with posts like this one. It is still early days for adoption though, and device support is a complex subject as the capability matrix on the W3C/FIDO site passkeys.dev demonstrates.

Amazon CodeWhisperer hushed by Q Developer, now generally available, while Q Apps enter preview
GitHub opens technical preview for Copilot Workspace, its next phase in AI-powered development
React 19 beta is out, promising stable server components and a host of other developments
New C# 12 feature proves controversial: Primary constructors 'worst feature I've ever seen implement...
Node 22 released with experimental support for require targeting ECMAScript modules and more
Visual Studio analysed: will it ever migrate from .NET Framework?
Dapr: not just for Kubernetes or the Microsoft platform, says co-creator Mark Fussell
AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Sourcegraph coding assistant now supports Anthropic Claude 3 – though limited to 7K token input
Supabase moves out of beta, adds supports for Swift, plugs in Oriole storage engine
Go dev survey shows frustration with Python’s dominance of AI
React Native and why Microsoft uses it for its own cross-platform development