GitHub auth

I don't know anything about passkeys but if Microsoft is pushing for them I am immediately suspicious. I am admittedly paranoid but if you have been an adult using a computer over the past ~15 years and aren't paranoid you haven't been paying enough attention

If by "passkey" they mean an HSM I'm okay with it
I'd still rather have TOTP as my 2nd factor so I don't have to plug shit in
- TOTP is the superior option, IMO, but I'm no expert on security so maybe they're insecure? it sure seems like some folks would rather do anything but time-based onetimes.
  hardware keys are a pain in the neck, just one more thing to be lost.
- I've plugged my phone in so many times and it doesn't detect shit. I'd rather stick with totp/email.

I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.

There's also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don't have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords

Also, what happens if your device with the passkey fails?
Like the drive craps out?
- You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically
  and nobody is gonna fucking do that lol
  Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?
  At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven't used it daily in years now.
- Similar problem with 2FA though
I think this post is about git CLI, not www.github.com.
SSH keys are very secure and you can still encrypt them with a password if you wish.
- encrypt them with a password if you wish.
  SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.
- It’s not about encryption/security it’s about creating something that can’t be phished.
  We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.
  Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.
Under passkey implementations, you need to unlock the passkey device with biometrics or passwords. Something you are/know (biometrics/passwords) and something you have (passkey).
It's not impossible to screw it up. Put your passkeys in bitwarden, reuse a password and don't 2fa that.
- My workplace doesn't allow Bitwarden because 'it's not secure'.
That sort of thing is the push I need to get entirely off of Github
Passkeys use public key authentication. This makes them very resistent to phishing attacks. It's also not possible for a phishing site to request authentication via a passkey created on a the original website.
- In practice, they use Face ID, which has privacy implications.
Yeah. Passkeys are something I would love if they were a second factor because they are so much better than any other 2fa. And I use my yubikeys as second factors where I can. But why the hell would I not want a password too?
- Passkeys are always supposed to be protected by another layer of authentication. e.g. a password should be required to unlock the passkey. If your passkey don't do that, stop using it.
- No phishing
- If I provide passkey support and still require a password, most users will get annoyed and not bother. If I provide it as a replacement for password, then I can get them onboard more often. I'd rather have them using passkey than sticking with password.
It's different. It's still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).
Note you are not giving your password to the website, and if a hacker gets hold of your password they still can't do anything without your passkey device.
- Knowledge of your passwords
  Uh... What password?
It's still more secure than password+sms/email
- Barely.

If this isn't referring to the Git CLI that prompts the user for username and password for a GitHub remote repository and GitHub rejecting password auth, then disregard this rant.

Git and GitHub are two seperate pieces of software. Git is the local client that does all the work and can optionally sync with a remote repository that can be stored in GitHub or GitLab or any other compatible remote. When Git asks for a password to authenticate, it has nothing to do with GitHub. GitHub then rejects that authentication method that Git provided because it believes that the method is insecure.

Wait until we tell them that Java and JavaScript are also different languages that are completely different things.
- Both terrible in their own special way.

I mean, that’s just the Git behavior.

not sure why you're getting downvoted for actually knowing the default behavior for git when interacting with an http remote

What happens to the account access if the passkey-registered device dies?

You can have more than one passkey.
You can still use password + 2fa
You can use google oauth.
You can use a YUBI key
You should probably have a primary and secondary auth for every site.
- Or just a password that is known to you and only you.
- So, losing a passkey isn't a lost account?
- I didn't know about the ability to use more than one passkey per platform. Something I'll have to investigate further.
- What’s the point of a passkey if you can still use a password
My passkeys are stored in keypass, which I share between multiple devices. Phone, home servers, desktop pc and a flashdrive that stays in my car.
Obviously the flash drive needs to be manually updated but the other devices use syncthing to keep everything up to date.
I get there are some people that have concerns over such a configuration but I'm happy bopping away knowing that if my phone dies, I've still got access to accounts / can easily be back up and running on a fresh device.
- What happens when that file gets breached?

Still using Github, the American company owned by Micro$oft, known for deleting repos? I'd consider switching away from them, If you're able to.

They offer free build time on windows and mac. There are also specific integration for GitHub not available for other platforms. I don't rely on it for storing my code, just for building. I could spend a month and migrate to a different platform but so far there was no point.

Huh?

GitHub hasn't allowed http pushes with password auth for a while. you need either to do an ssh push or use an api token. yet, anythime you do an http push for the first time, you are prompted for a password. the real reason for this is git, not github
- You can with PATs though
- http or https?

when they tell you to check your email for a code when you just put in your username and password

I hate this. There's nothing on my Github that's so valuable it needs protection. It's just a waste of time when I'm trying to make a bug report or something.