GitHub recently revealed that security keys would be supported in SSH Git operations to protect from account breaches.
Physical and portable modems such as the Google Titan Security Keys, YubiKey, and Thetis Fido U2F Security Key provide an extra layer of protection to the internet services and accounts.
Users can use these tools to secure themselves and their accounts from unintended exposure, data theft, or hacking when they connect a security key to SSH operations. Kevin Jones, a security engineer in GitHub, said in a blog post.
GitHub is stepping away from traditional passwords and into more safe authentication methods. Users can now access Git using a password, SSH key, or personal access token, but the firm plans to phase out password support later.
Jones said, "We recognize that passwords are convenient, but they are a consistent source of account security challenges."
"We believe passwords represent the present and past, but not the future… By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and the resulting software supply chain."
It is still essential to use strong passwords but due to the proliferation of cyber threats, they have become less reliable as a sole security system. It prompts for the development of password managers that often check for security keys and login leakage online.
If you are using a security key, both unintended private-key leakage and malware cannot reveal your information. He also said, “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”
To make the switch, users must log in and follow GitHub's instructions for creating a new key and adding it to their account.
Users will notice that the operation is close to adding an SSH key to an account previously. Both online and SSH verification can be done using the same encryption key.
To avoid malware from executing demands on the account, remote Git operations like fetch, push, and pull would require an extra key tap.
When users are already authenticated locally, they can execute operations like branching and merging without having to go through this process again.
Inactive and unused keys will be removed over time by GitHub. The firm was among the first to incorporate the FIDO Universal 2nd Factor (U2F) authentication standard.
