GitHub Supports Web Authentication (WebAuthn) for Security Keys

&gt; GitHub supported physical security keys using the experimental U2F API for Chrome<p>Yes, and to make it worse, they used user agent sniffing instead of feature detection even though it work fine in Firefox. Firefox enabled U2F because many sites which do implement U2F, do not implement WebAuthn yet. Luckily, it appears Github is now on the right track.

This is fantastic. I look forward to finally having much easier authentication on the web. Imagine browsers syncing between devices a single encryption key that will authenticate you to all sites, which you can easily back up to a piece of paper.<p>EDIT: Unfortunately, it looks like the WebAuthn credential is only used as the second factor, so you can&#x27;t use it to replace your password yet, let alone your username.

In a somewhat related vein: it would be really fantastic if Github allowed the same SSH key (in my case: a Yubikey-resident SSH key) on multiple accounts; we use separate accounts for different clients, and Github&#x27;s refusal to allow an SSH key to be used on multiple accounts means I can&#x27;t use Yubikey SSH keys for those.<p>I get that this is a niche-y concern. :)

In the thread from the Yubico announcement earlier this week, someone brought up the question about why you can&#x27;t disable SMS for recovery codes (SMS recovery codes, not SMS 2nd factor), since that undermines the security benefit of having your 2nd factor moved entirely to FIDO or OTP. Are there plans to fix that?

I think security when it comes to third-party products is relative to personal value one sees into that product and to personal use case.<p>If your GitHub account is really that important as to use your fingerprint each time you access it, sure it is nice GitHub can support that.<p>But if you do not really mind and are happy with a password, that maybe unlike your finger, you can share with someone in other side of world if you really like to, then why not use a password. I would expect GitHub should not prevent that.<p>It is sad to see a trend to really &quot;make sure it is you&quot; started by Facebook and Google taking over in all mainstream online services and it is even worse, to have people believe it is the only good for them.

&gt; But there’s more—GitHub’s move toward WebAuthn makes it possible to use your laptop or phone as a security key without carrying a separate physical key.<p>How does this work? Is an OTP generated on phone with Google Authenticator like app and that OTP needs to be punched into the login form?

I&#x27;ve been waiting a million years for another branded sale on YubiKeys like the last time GitHub did one. Those things are so expensive.<p>Seems like a cool thing to sponsor, too - as long as it&#x27;s tied to accounts to prevent underhanded measures.

I wonder if Github has ever considered allowing a 2FA via the use of the private ssh key that&#x27;s used for running git push or git fetch&#x2F;pull?

Great. This means I can log in on my phone again.

And multiple security keys at that! This is excellent.