Introducing passwordless authentication on GitHub

Just as I feared when Microsoft took over GitHub, they are now advancing their positions towards the full surveillance community. This is not okay, and you should all make this clear to Github’s management.

1 Like

Please elaborate. What is bad about passkeys? Keys for auth have been around a long while, and are often a good idea.

Is it just the part where these OSes sync them in their “password managers” with barely a question asked most likely? Probably not different from what they already do with your passwords.

Well I’m not against keys of course, what I’m against is that that they want to attach those keys to your real life person. Read the blog post and reflect on why they want to use facial recognition and fingerprints please.

That’s no different from a password behind a password manager with similar protection/authentication, is it?

I’ve never used one of those, so I wouldn’t know.
I do have have a password manager but that one is pure local.

I have to admit, I’m quiet happy with password foo + OTP and believe that’s stronger protection than a single key. I’m a bit nervous about keys that persist and like the one time 2nd factor.

1 Like

IMO persistent keys are okay, as long as they are good enough and not compromised. :wink:

Thing is, keys compromised, your compromised. If using 2FA, password compromised, you’re not compromised. But, it depends on how the key/hash is stored. If it’s in a vault that’s 2FA, then it’s ok.

The part i don’t get is that it seems up to the client/vault to tell the service whether it is secured with a second factor or not. While i don’t mind being able to trick GitHub (since they enforce 2FA on my account, and that way i could have my choice back), that’s a really really bad idea in the normal case. I hope i’m missing something.

Of course my keys is in a vault, and I’ve always practised the rule one login=one key. I would never reuse login keys.
So, one compromised key is just one compromised login. Pretty easy to adjust.
@attah I need to sleep, pleas be patient, I’ll try to answer tomorrow.

1 Like

Sorry for late reply, real life interruption you know…
My protest is not about 2-factor authentication or not. It is a question of whether we should be forced to use facial recognition/ fingerprints.
These are two identification methods that are directly linked to your real identity.
And for what reason? All you want is to store a piece of code publicly. Why does it have to be traceable, all the way up your ass?

But you are not. Granted, the post is a right mess, and does not convey the technology clearly.

It doesn’t seem like the option to use passwords is going anywhere, and while they seem to give preferential treatment to passkeys with a local 2nd factor (how on earth they detect that…) that does not seem mandatory, or limited to biometrics in any way.