Source code management site GitHub is the latest company to support WebAuthn – a new standard that makes logging into online services using a browser more secure.
WebAuthn is short for Web Authentication and it’s a protocol that lets you log into an online service by using a digital key. It’s a core part of FIDO2, a secure login protocol from the FIDO Alliance, which encourages industry support for these secure login standards.
GitHub, which Microsoft bought for $7.5bn last year, has been doing its best to secure peoples’ accounts with more secure logins for a while now. Back in 2013, it announced support for two-factor authentication (2FA) via SMS text messages and 2FA apps on a mobile phone. Then, in October 2015, it launched support for universal second factor (U2F) authentication. This was a FIDO specification that allowed the use of a hardware key as a 2FA mechanism.
WebAuthn supersedes U2F and offers everything the older standard did along with some additional benefits:
- It upgrades GitHub’s 2FA support to the latest industry standard. The World Wide Web Consortium (W3C), which oversees many of the standards that make up the web, approved WebAuthn as an official standard in March 2019.
- While you can use a third-party hardware security key to use WebAuthn, in many cases you don’t need to. You can also use a digital key stored on your phone instead, turning the phone itself into your hardware key.
- WebAuthn can be a primary access factor. U2F still needed a password to gain access, meaning that it could only ever be a second factor in your login process. The U2F-based physical key effectively said “yes, the person entering that password is legit, because I am in their possession”.
In theory, WebAuthn can replace the username and password altogether, making your phone, hardware security key or biometric reader the only access mechanism. It can tell the online service you’re accessing: “You don’t need a password. I say this person is legit, and that’s enough”.
That’s convenient, but many people might not be comfortable with it, because no matter what people say about passwords, they provide an extra layer of protection when used with a second factor. In any case, it’s a moot point for GitHub users right now. Online service providers must configure their sites to allow WebAuthn as a primary factor, and GitHub hasn’t done this yet. It only supports security keys as a supplemental second factor right now.
Patrick Toomey, senior manager of product security at GitHub, told us:
We’re focused on leveraging the most accessible resources for user security – which ensures that the security keys are available on every major platform. We understand that security needs will continue to evolve and we’re evaluating security keys as a primary second factor as more platforms support them.
WebAuthn support is undoubtedly a step forward, even for those developers using the command line to access GitHub. A lot of software engineers live on the command line, and they often use digital keys based on the secure socket shell (SSH) protocol to access GitHub, or an alternative GitHub mechanism called a personal access token that replaces a password.
Developers might log into their online accounts via a browser only rarely, meaning that they might not use WebAuthn often. Nevertheless, setting it as an access mechanism is still helpful because it makes it much more difficult for an attacker to pose as them and access their account.
GitHub supports WebAuthn today on Firefox and Chrome across Windows, macOS, Linux, and Android. Windows users can also access the service using WebAuthn in the Edge browser, while Mac users can use Safari (currently in Technology Preview mode). iOS users can use the Brave browser, but at this point, they’ll still need to use the YubiKey 5Ci hardware key alongside it.
GitHub’s announcement furthers Microsoft’s existing commitment to WebAuthn. FIDO certified the software giant to use FIDO2 in its Windows Hello identification product in May 2019.
Ian
I need to read more about WebAuthn but using it as the only authentication factor does not seem to be a good idea to me. I love MFA because it requires you to both know something and have something. With WebAuthn only authentication you only need to have something. And anything that you have can be lost, stolen, duplicated, etc and I am not comfortable relying on something like that.
john kenny
FYI it still requires a PIN on top of Webauth or security key in Windows Hello, Github included.
Mark Stockley
WebAuthn paves the way for multi-factor authentication at the authenticator level – so you might have a device (that, yes, you have to secure and can loose) that requires fingerprint or PIN authentication in order to work, much as your phone or laptop does today. In fact, your phone could be your authenticator.
You can read more about WebAuthn here:
https://nakedsecurity.sophos.com/2018/11/22/the-passwordless-web-explained/
roleary
Making an android device into your authenticator sounds like no security at all to me.
john kenny
Excellent news, my Yubikey 5 is more useful again! With Windows 10’s hello for business support for FIDO2 keys it seems everyone else is jumping on the Fido2 bandwagon. Took a long time to be useful though as i had the Yubikey 4 too but the support at the time just wasn’t there. Now If we could just get Sophos to pick this up for Sophos ID it would make my day!
Jo
Border police or a common third can just take your access token and get into ALL of your accounts and devices, no password or consent needed…. GREAT, IDEA!
Jo
*Common thief
Mark Stockley
Get an access token that requires authentication.
Spike Robinson
GitHub already supports access with a digital key only – an SSH keypair, for all or most git operations. That’s been the case for years. Other than perhaps pull request operations there’s not much sensitive you can do in GitHub that you can’t do via its git layer using an SSH key.
Epic_Null
I believe pull operations still use the ssh key if the repo is private.