GitHub joins WebAuthn club

Source code management site GitHub is the latest company to support WebAuthn – a new standard that makes logging into online services using a browser more secure.

WebAuthn is short for Web Authentication and it’s a protocol that lets you log into an online service by using a digital key. It’s a core part of FIDO2, a secure login protocol from the FIDO Alliance, which encourages industry support for these secure login standards.

GitHub, which Microsoft bought for $7.5bn last year, has been doing its best to secure peoples’ accounts with more secure logins for a while now. Back in 2013, it announced support for two-factor authentication (2FA) via SMS text messages and 2FA apps on a mobile phone. Then, in October 2015, it launched support for universal second factor (U2F) authentication. This was a FIDO specification that allowed the use of a hardware key as a 2FA mechanism.

WebAuthn supersedes U2F and offers everything the older standard did along with some additional benefits:

  • It upgrades GitHub’s 2FA support to the latest industry standard. The World Wide Web Consortium (W3C), which oversees many of the standards that make up the web, approved WebAuthn as an official standard in March 2019.
  • While you can use a third-party hardware security key to use WebAuthn, in many cases you don’t need to. You can also use a digital key stored on your phone instead, turning the phone itself into your hardware key.
  • WebAuthn can be a primary access factor. U2F still needed a password to gain access, meaning that it could only ever be a second factor in your login process. The U2F-based physical key effectively said “yes, the person entering that password is legit, because I am in their possession”.

In theory, WebAuthn can replace the username and password altogether, making your phone, hardware security key or biometric reader the only access mechanism. It can tell the online service you’re accessing: “You don’t need a password. I say this person is legit, and that’s enough”.

That’s convenient, but many people might not be comfortable with it, because no matter what people say about passwords, they provide an extra layer of protection when used with a second factor. In any case, it’s a moot point for GitHub users right now. Online service providers must configure their sites to allow WebAuthn as a primary factor, and GitHub hasn’t done this yet. It only supports security keys as a supplemental second factor right now.

Patrick Toomey, senior manager of product security at GitHub, told us:

We’re focused on leveraging the most accessible resources for user security – which ensures that the security keys are available on every major platform. We understand that security needs will continue to evolve and we’re evaluating security keys as a primary second factor as more platforms support them.

WebAuthn support is undoubtedly a step forward, even for those developers using the command line to access GitHub. A lot of software engineers live on the command line, and they often use digital keys based on the secure socket shell (SSH) protocol to access GitHub, or an alternative GitHub mechanism called a personal access token that replaces a password.

Developers might log into their online accounts via a browser only rarely, meaning that they might not use WebAuthn often. Nevertheless, setting it as an access mechanism is still helpful because it makes it much more difficult for an attacker to pose as them and access their account.

GitHub supports WebAuthn today on Firefox and Chrome across Windows, macOS, Linux, and Android. Windows users can also access the service using WebAuthn in the Edge browser, while Mac users can use Safari (currently in Technology Preview mode). iOS users can use the Brave browser, but at this point, they’ll still need to use the YubiKey 5Ci hardware key alongside it.

GitHub’s announcement furthers Microsoft’s existing commitment to WebAuthn. FIDO certified the software giant to use FIDO2 in its Windows Hello identification product in May 2019.