GitHub says #GoPasswordless
Ajit Hatti August 25, 2021 Passwordless
All the recent high profile breaches we have seen, have one common root cause - Account takeovers with compromised credentials.
Solarwinds incidents is a biggest examples of how simple account takeovers lead to distribution of malicious updates, which then got amplified through the supply chain and affect the entire world.
GitHub being the world's code-repository and home for all updates, have taken a commendable step to curb account takeover attacks by going passwordless.
Beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations on GitHub.com.
As informed previously by Ben Balter, Program Manager at GitHub in July 2020, GitHub wants its users to use alternative forms of authentication which involves tokens, keys, device identification etc.
GitHub has also assured the customers already using 2FA or MFA with their existing passwords will remain unaffected.
GitHub also acknowledges that many forms of 2FA that use SMS based OTP are weaker and bypassable, hence recommends stronger MFA solution to protect your GitHub accounts
As far as Enterprises are concerned, GitHub supports SAML based authentication which is leveraged by PureAUTH to provide passwordless authentication.