As elaborated in a recent blog post, GitHub justified Web Authentication implementation as a much-needed feature for account security. It is because many users still rely on single passwords only instead of employing two-factor authentication.
Account security is critical for GitHub. Although we support strong authentication options, many people still don’t use a password manager or two-factor authentication because individual passwords have always been the easiest choice.At the moment, GitHub offers conventional two-factor authentication, such as SMS verification, authentication apps, and security keys. With this decision, GitHub plans to upgrade the security key as the primary second factor.
Because platform support is not yet ubiquitous, GitHub currently supports security keys as a supplemental second factor. But we’re evaluating security keys as a primary second factor as more platforms support them.
You can now use physical security keys on GitHub with: - Windows, macOS, Linux, and Android: Firefox and Chrome-based browsers - Windows: Edge - macOS: Safari, currently in Technology Preview but coming soon to everyone - iOS: Brave, using the new YubiKey 5CiMoreover, it will also let the users log in their accounts with their device instead of using a separate physical key.
WebAuthn can make it possible to support login using your device as a “single-factor” security key with biometric authentication instead of a password.To do so, users shall have to register their device with the corresponding biometric feature using their device browser. For instance, users can register with Chrome on Android using Fingerprint reader, or on macOS using TouchID. Also, they can register via Microsoft Edge browser on Windows devices using Windows Hello.
