Opting in lets developers use passkeys instead of passwords and 2FA. Credit: Shutterstock GitHub has announced the public beta of passkey authentication, offering more flexibility in how developers can authenticate onto the platform. Opting in lets developers upgrade security keys to passkeys and use them in place of both their passwords and 2FA authentication methods, the firm said. The move is GitHub’s latest step toward a passwordless future after it announced new 2FA requirements for all code contributors last May. Passkeys are considered the modern alternative to passwords, and are generally more secure and easier to use. They are steadily being adopted by technology companies and enterprises to help raise the authentication security bar and end an over reliance on passwords, a major cause of most data breaches. In May, Google began rolling out support for passkeys across Google Accounts on all major platforms. Last year, several tech giants announced support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Passwords the root cause of data breaches Most security breaches are not the result of zero-day attacks but rather lower-cost attacks like social engineering, credential theft, or leakage that provide attackers with a broad range of access to victim accounts and the resources they have access to, wrote Hirsch Singhal, staff product manager at GitHub, in a blog post. “In fact, passwords, which we all rely on, are the root cause of more than 80% of data breaches.” Passkeys build on the work of traditional security keys by adding easier configuration and enhanced recoverability, giving you a secure, private, and easy-to-use method to protect your accounts while minimizing the risk of account lockouts, Singhal added. “The best part is that passkeys bring us closer to realizing the vision of passwordless authentication – helping to eradicate password-based breaches altogether,” he added. Passkeys on GitHub require user verification, meaning they count as two factors in one, Singhal wrote – something you are or know (your thumbprint, face, or knowledge of a PIN) and something you have (your physical security key or your device). The passkeys can be used across devices by verifying a phone’s presence, while some can also be synced across devices to ensure users are never locked out of their account due to key loss, Singhal added. Protecting developer accounts key to securing software supply chain “Developer accounts are frequent targets for social engineering and account takeover (ATO), and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Singhal tells CSO. Passkeys offer the strongest mix of security and reliability and make developer accounts significantly more secure without compromising access, which remains an issue with other 2FA methods like SMS, TOTP, and existing single-device security keys, he says. “Enhanced security from passkeys prevents password theft and ATO by eliminating the need for passwords.” Related content feature How MFA gets hacked — and strategies to prevent it Use of multifactor authentication is on the rise, but it needs to be done right to be effective as a security tool. Here‘s how to protect your organization against common MFA attacks and threat modalities. By David Strom 22 Aug 2024 8 mins Multi-factor Authentication Authentication Security feature 6 hot cybersecurity trends — and 2 going cold Artificial intelligence is altering not only the threat landscape but also how security teams can defend their organizations. But AI isn’t the only trend cybersecurity pros should be on top of. By Neal Weinberg 06 Aug 2024 11 mins Passwords Ransomware Phishing news Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out Microsoft stands out from the authenticator crowd by annihilating accounts when new accounts are introduced via QR code. Despite user complaints for years, no fix has been issued, leaving IT experts wondering, ‘Why would you pick Microsoft?&rsq By Evan Schuman 05 Aug 2024 9 mins Multi-factor Authentication Authentication news FBI disrupts 1,000 Russian bots spreading disinformation on X The bot farm was built by a Russian state-sponsored media to spread misinformation in and about a number of countries. By Shweta Sharma 10 Jul 2024 4 mins Authentication Technology Industry PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe