GitHub updates the platform with passkey authentication, simplifying DevOps

Git Hub introduced two new features to strengthen developer security and enhance the development experience.

In a public beta release, the platform was unveiled passkey authentication, giving users a secure, password-less method of logging into their accounts. Passkeys replace conventional passwords and two-factor authentication (2FA) methods, providing greater security and mitigating the risk of account breaches.

“Passkeys offer the best mix of security and reliability, and make accounts significantly more secure without compromising account access, which remains a problem with other 2FA methods like SMS, TOTP, and existing single-device security keys,” Hirsch Sighal, staff product manager at GitHub, told VentureBeat. “With our new update, developers can easily register a passkey on their GitHub account and stop using a password forever.”

The platform has also introduced a new automated branch management feature known as join the tail. This feature allows multiple developers to commit code while seamlessly handling pull requests that align with subsequent changes. In case of problems, the developer is promptly alerted.

Engineers have faced the challenge of merging directly on a busy branch, which can lead to code conflicts and a frustrating rework cycle.

GitHub’s merge queue solves this problem by creating a temporary branch. This branch incorporates the latest changes from the base branch, changes from other already queued pull requests, and changes from new pull requests.

The company says these updates prioritize developer security and streamline the development process, boosting GitHub’s reputation as a reliable and easy-to-use platform.

Streamlining the developer experience through the merge queue

Before the merge queue feature, developers were often in a loop of updating pull request branches before merging. This step was necessary to ensure that their changes did not break the main code branch during the merge.

With each update, a new round of continuous integration (CI) checks had to be completed before the developer could proceed with the merge. Also, if another pull request was merged, each developer had to repeat the entire process.

To streamline and automate this workflow, the merge queue systematically orchestrates the merge of code pull requests. Each pull request in the queue is created together with previous pull requests.

When a user’s pull request is routed to a branch using the merge queue, the user can add it to the queue by clicking “Merge When Ready” on the pull request page or via GitHub Mobile once the requirements for the merge are met. ‘Union.

This action creates a temporary branch within the queue, which includes the most recent changes from the base branch, changes from other pull requests already in the queue, and changes from the user’s pull request.

If a pull request in the queue encounters merge conflicts or fails mandatory status checks, it is automatically dequeued when it reaches the front of the queue.

At the same time, a notification is sent to the user. Once the issue is resolved, the pull request can be added back to the queue.

For a complete overview of the status of the queue, developers can access the queue details page via branches or the pull requests page. This page provides an overview of the pull requests in the queue, along with the status of each, including any required progress checks and an estimated time to merge.

It also offers insight into the number of merged pull requests and tracks trends over the last 30 days.

Better passkey code protection

GitHub’s Singhal said that most security breaches result from inexpensive and common attacks, including social engineering, credential theft, and leaking. He says it’s over 80% of data breaches are related to passwords.

The company introduced its passkey feature in response. This strengthens developer account security while ensuring a seamless user experience. The platform had previously implemented a 2FA initiative; now expands its efforts even further with the introduction of passkey authentication on GitHub.com.

“Password or token theft is the leading cause of account theft (ATO). GitHub offers secret scanning to look for leaked secrets (such as passwords or tokens) to reduce theft, and the enhanced security of passkeys gives us an effective way to prevent password and ATO theft,” Singhal told VentureBeat.

Singhal pointed out that passkeys offer greater resistance to phishing attempts than traditional passwords and are significantly harder to guess.

“You don’t have to remember anything either – your devices do it for you and verify your identity before authenticating with whatever website you’re accessing. So they are generally safer, easier to use and harder to lose,” she added.

Keep yourself logged in if you lose your phone

He said that a common scenario that leads to losing access to a GitHub account is a broken or replaced phone. This unfortunate situation occurs when a user sets up 2FA on a device which subsequently malfunctions, leaving them unable to use the remaining 2FA methods and effectively locking their account.

Passkeys offer a solution by enabling cross-device syncing facilitated by reputable passkey providers like iCloud, Dashlane, 1Password, Google, and Microsoft.

These providers and others have established secure systems that ensure the seamless transfer of passkeys between devices and into the cloud. As a result, the loss or damage of a single device no longer results in permanent loss of the passkey.

“Technically speaking, passkeys are a domain-generated public-private key pair. This ensures three things: no two passkeys are the same; resistance to phishing; and hack-proof credentials,” Singhal explained. “The main benefit is the ease of logging into new devices without compromising account security. use backup credentials or your password.

Classic cross-device authentication (CDA) in OAuth2 relies on the device code flow, which poses a vulnerability to replay attacks. In such attacks, an attacker manipulates the situation by forwarding a QR code or device passcode to the victim. If the victim uses this code to log in, she unknowingly authorizes the attacker’s session.

With passkeys, CDA takes a different approach. It establishes a secure and dedicated channel directly between the two devices involved. This unique channel allows one device to use another’s passkey without exposing the actual credentials.

Singhal pointed out that the new update also increases resistance to phishing attempts. This is accomplished by having the authenticating device, such as a phone, verify the proximity of the requesting device, such as a laptop.

“This means that an attacker cannot forward the CDA QR code to a victim and have them use it to log in – the phone will scan the QR code and start looking for the attacker’s computer to connect to,” he said. “And since it’s not there, the authentication fails, and so does the attack.”