GitHub has introduced passkeys as a passwordless option for signing into its web application, currently in beta.
According to Staff Product Manager Hirsch Singhal, passwords are the “root cause of more than 80 percent of data breaches,” and supporting passkeys will help to “eradicate password-based breaches altogether.” The Microsoft-owned company is already pushing 2-factor security, with enforced enrolment for some groups of users such as those contributing code to critical open source libraries, but Singhal said that passkeys “build on the work of traditional security keys by adding easier configuration and enhanced recovery.”
The “easier configuration” aspect has not been true for all early adopters. “Chrome 114.0.5735.199 (latest public) is not passkey compatible? Pretty sure it should be but its showing me incompatible browser,” said one such person, the problem being that Windows passkey support is hooked to the Hello feature which is not always available. A read through of the initial feedback shows a number of complications, with one comment noting that the option to store a passkey on a device like a YubiKey hardware key can cause them to run out of the (very limited) storage, which can make them of little use, particularly with older keys that lack the ability to delete resident keys.
We had a mixed experience. An initial test with Windows gave the dreaded message “this browser or device does not support passkeys.” On a Mac though we successfully added a passkey using Apple’s Touch ID. This then also worked with an iPhone thanks to Apple’s iCloud Keychain. Returning to Windows, we were able to log in using the iPhone by scanning a QR code with the iPhone camera, a technique called cross-device authentication.
Developers wishing to try the beta can find it in GitHub under Feature Preview, by clicking their username in the GitHub web application. Once enabled, the option will then appear under Settings – Password and authentication.
A handy tip from Singhal is that if the passkey option does not appear when logging in, it can be forced to do so by using an url argument https://github.com/login?passkey=true.
Passkeys are based on the WebAuthn W3C standard and promoted by the W3C and the FIDO Alliance. The technology was introduced in early 2022 as multi-device FIDO credentials with the term passkey introduced to most people in May 2022 by Microsoft, Apple and Google with posts like this one. It is still early days for adoption though, and device support is a complex subject as the capability matrix on the W3C/FIDO site passkeys.dev demonstrates.