Passwordless GitHub: What’s next?

GitHub has planned to move out of the password-based authentication system in August 2021. A trial period of two weeks will be held ahead of the permanent implement to test out certain features. We have seen different types of authentication throughout the years.

Somewhere in 2004, Microsoft CEO Bill Gates announced: “Passwordless movement” for regular usage. In this follow-up, GitHub by Microsoft is launching its first mission accordingly. The intention is to move away from the hassle of the same old password pattern and make it far easier to authenticate on the user side. While the mobile or authentication device security is the baseline from the user end.

Authentication via password is an easy target. It’s just the wall between sensitive content and 3rd party. Although every secure password handler takes the password to encrypt method and it’s actually hard to crack. But we have been through enough to visualize that these passwords can be cracked too, one way or another.

The new update can push updates directly into the cloud without using manual passwords. While an OTP may be required for one-time authentication for temporary use. The direct change will be applied in the GitHub app and GitHub push functions. The git-gui is a perfect tool for developers to push updates on the cloud for users. GitHub security engineer Matthew Langlois described it as an announcement about the upcoming update. Implementation will begin in July 2021.

Cloning on default (HTTPS) is being done almost for all of the pushes and this change will give SSH a new life. SSH uses tokens or OAuth for regular usage. These tokens have values that are impossible to crack due to their randomness and the ability to be unique. User or in this case a developer can revoke access to the token and they are limited. This allows minimal access on the backend, securing the whole application.

Setting up for OAuth is not hard. Anyone using a 2FA is already enrolled to enjoy the new feature. The brownouts period will deliver all the messages and notifications for users who are not already aware of the change. Developers should already receive mail notifications to integrate OAuth or 2FA.

GitHub is also introducing a token scanning service and it will help to generate secure tokens instead of using weak passwords. Developers should be careful of how they include the tokens in deployed applications as it requires protection itself. Brute forcing, keylogging, random password dump will come to an end after this. A few other popular services may follow if it works out perfectly and we may soon live in a Passwordless world.