GitHub has started supporting the Web Authentication (WebAuthn) web standard, allowing users to use security keys for two-factor authentication with a wide variety of browsers and devices.
New possibilities
Developer accounts at online code and software package repositories are a great target for attackers: compromising one or more means that they can surreptitiously add malicious code to already popular and widely deployed libraries and software packages.
GitHub users have had the ability to additionally protect their accounts by switching on 2-factor authentication since 2013, but the choices were limited to receiving the second factor via SMS or getting it from a Time-based One-Time Password app such as Google Authenticator, Duo Mobile or Authenticator.
Later, they got the option to use physical security keys as GitHub began supporting the experimental U2F API for Chrome, but it was limited.
WebAuthn support now in place, they can now use security keys with:
- Windows, macOS, Linux, and Android: Firefox and Chrome-based browsers
- Windows: Edge
- macOS: Safari (currently in Technology Preview but coming soon to everyone)
- iOS: Brave, using the new YubiKey 5Ci.
Also, for those who don’t want to lug around actual physical keys, WebAuthn allows them to turn their phone or laptop into one via:
- Windows Hello (through Microsoft Edge on Windows)
- Touch ID (through Chrome on macOS)
- A fingerprint reader (through Chrome on Android).
For the time being, security keys can still only be a second authentication factor but, according to GitHub security engineer Lucas Garron, they are looking into the option of making them a primary second factor as more platforms support them.
GitHub users can find instructions on how to set up and configure two-factor authentication on their accounts here.