EXECUTIVE SUMMARY:

Key highlights

  • GitHub users can now upgrade security keys to passkeys, bolstering overall account security.
  • For GitHub users, passkeys are also expected to bring easier configuration and enhanced account recoverability.
  • The FIDO Alliance estimates that password theft is at the root of 80% of all data breaches.

GitHub’s passkey security

Cyber attackers don’t always require sophisticated methodologies and persistence to access enterprise systems. In some cases, attackers can simply dupe employees into sharing account credentials and log themselves into a preferred business platform.

Because cyber attackers commonly target developers, GitHub recently announced that it’s launching passkeys in public beta – a move that will help developers avoid victimization by cyber adversaries and that will keep organizations safer overall.

New to passkeys? Read this

Passkeys are a type of login credential that enables individuals to log into sites and services without inputting a password. Individuals will only use a biometric element for login purposes (or a PIN option is available).

Passkeys are built on the WebAuthentication or WebAuthen standard, which uses public-key cryptography to secure accounts. With passkeys, individuals have a private key and a public key. The public key ‘lives’ on a company’s server. The private key ‘lives’ on a device and can’t be easily obtained by hackers.

(If you still have questions, click here.)

More GitHub information

The new GitHub passkeys function as two security layers rolled into one; combining a user element, such as a thumbprint, face or a set of numbers, with a physical element, like a security key or device.

Expanded browser support means that a browser’s auto-fill system can automatically suggest that users leverage their passkey to sign in on the login page – regardless of whether or not 2FA is enabled.

A new experience known as ‘Cross-Device Authentication’ means that the passkeys can be used across more than the device that they were created on. In other words, a user could apply the passkey on a phone to sign into a laptop by verifying the phone’s presence.

“Because your phone or tablet must be physically close to your laptop or desktop, Cross-Device Authentication retains the phishing-resistant promise of FIDO,” said Hirsch Singhal, staff production manager at GitHub.

Further, multiple passkeys can be synced across various devices in order to mitigate against account lock-out due to key loss. Depending on the passkey provider, this can be done automatically, said GitHub.

Passkey rollouts

Some experts anticipate that as passkey technology matures, an increasing number of technology platforms (ex. Amazon, Meta, Twitter…etc.,) will announce passkey support.

However, there are serious drawbacks of tying account authentication to passkeys. One issue is that if a phone or tablet crashes, individuals won’t be able to quickly and easily log into accounts – at least, based on current technologies.

Beyond that, in the U.S., the Fifth Amendment protects criminal defendants from self-incrimination and says that the accused aren’t legally mandated to reveal numeric passcodes that ‘live’ in their heads. However, the widespread introduction of biometric passcodes translates to murky legal waters – can law enforcement force someone to hold up a hand?

For further insights into the future of password security, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.