Security News > 2021 > May > GitHub Prepares to Move Beyond Passwords

GitHub, the ubiquitous host for software development and version control, is now supporting security keys when using Git over SSH. In a post on Monday, GitHub security engineer Kevin Jones said that this is the next step when it comes to increasing security and usability.

These security keys, which include YubiKey, Thetis Fido U2F Security Key and Google Titan Security Keys, are easy to pop into your pocket and cart around between machines, with most connecting via USB, NFC or Bluetooth.

While the devices store a private key on your computer, those on-computer keys are simply a reference to the physical security key: in other words, they're useless to anybody who doesn't have the actual device in hand.

A security key requires you to perform a gesture such as tapping in order to let it know you're about to use the device to authenticate: an action that indicates "User presence," he said, adding that users can also utilize the same security key for both web and SSH authentication, given that they're not limited to a single application.

GitHub data indicates that users likely use an RSA or ed25519 key.

If someone's ambitious, they can remove previously registered SSH keys and just stick to the SSH keys created by the security keys.

News URL

https://threatpost.com/github-security-keys-passwords/166054/