GitHub announces support for Web Authentication

GitHub has announced support for the Web Authentication (WebAuthn) security standard. The new standard aims to make accounts more secure against cybercriminals.

Inadequate security of GitHub accounts can lead to cyber criminals accessing backdoors in open source code or passwords. They could also, for example, inject malware code into an application or dev library. Recently, malware was discovered in a Ruby Gem package, probably caused by a hacked account, reports The Register.

WebAuthn support means that GitHub supports physical security keys in browsers such as Firefox and Chrome on Windows, macOS, Linux and Android. On macOS this is also possible in preview versions of Safari, and on iOS also with Brave and YubiKey 5Ci. It is now also possible to use a laptop or phone as a key, using Windows Hello, Touch ID on macOS or a fingerprint scanner on Android.

Two-factor authentication

GitHub currently only supports security keys as an additional option, reports The Register. This means that the option only became available when two-factor authentication (2FA) was already set by SMS or an authentication app. GitHub is currently examining the possibility of turning keys into an option that is immediately available. We are also investigating whether it would be possible to log in without a password.

GitHub also offers a number of ways to circumvent the exclusion of an account with 2FA, including recovery codes. However, they must then be stored (or printed) elsewhere. GitHub also suggests the use of an authentication app to back up keys. Google Authenticator and Microsoft Authenticator, for example, do not have this option.

2FA is in any case a relatively insecure option, as telephone numbers can be hijacked and SMS messages can be intercepted. GitHub has previously supported one-time password authentication and U2F (Universal Second Factor) security key apps. However, U2F is rather outdated compared to WebAuthn.