GitHub to ban passwords starting in 2021

Get a free Techzine subscription!

The platform will move to token based authentication next August

Microsoft’s GitHub has announced that it plans to stop accepting account passwords as a way to authenticate Git operations. Starting August 13, 2021, the platform will accept only token based authentication. They will run a two week test period of the new authentication system prior to making the switchover.

The new authentication protocol only applies applies to Git operations. These are the commands and APIs that developers use to access and interact with GitHub-hosted Git software repositories.

The planned change does not impact the ability to access a GitHub account in a web browser using a username and password.

Users can also access using two factor authentication (2FA). This could be, for example, using a password in conjunction with a passcode sent to a mobile device.

Why is GitHub eliminating passwords?

Matthew Langlois, security engineer at GitHub, explained the reasons for dropping password access in a blog post this week.

“In recent years, GitHub customers have benefited from a number of security enhancements to GitHub.com,” he says. These enhancements include two-factor authentication, sign-in alerts, verified devices, preventing the use of compromised passwords, and WebAuthn support, he writes.

These make it more difficult for an attacker to take a password that’s been reused across multiple websites and use it to try to gain access to a GitHub account.

Langlois explains that for historical reasons customers without two-factor authentication enabled have been able to continue to authenticate Git and API operations using only their GitHub username and password. This new move aims to rectify that legacy situation.

“Beginning August 13, 2021, we will no longer accept account passwords when authenticating Git operations,” Langlois writes. Instead, they will require the use of token-based authentication.

As examples, Langlois cites a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators).

Such access protocols will be required for all authenticated Git operations on GitHub.com. Users may also continue using SSH keys where they prefer, according to Langlois.

Tip: GitHub adds more administrator tools to Enterprise version