GitHub has finally GitSnubbed passwords for Git authentication.
"In December, we announced that beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations and will require the use of strong authentication factors, such as a personal access token, SSH keys (for developers), or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on GitHub.com," wrote Chief Security Officer Mike Hanley in a blog Monday.
"With the August 13 sunset date behind us, we no longer accept password authentication for Git operations."
The move will add additional security to the platform soon after another code repository — PyPi for the Python language — demonstrated some of the hazards for software supply chain risk just a few weeks ago. In that case, malicious look-alike packages were uploaded to the site. When deployed, they stole credit card information.
Hanley's blog discusses additional two-factor options for the site, ranging from physical keys to time-based one-time passwords. Hanley notes that SMS message authentication is still an option, but notes standards groups advise against it as a SIM-swap-vulnerable platform.
The GitHub move is getting good reviews from the company's peers.
In a statement, Mark Risher, senior director of product management for Google's identity and security platforms said "We’re glad to see GitHub moving beyond passwords and opting instead to use strong authentication for secure sign in. Passwords alone are simply no longer enough for sensitive and high-risk activities; they're too difficult to manage and too easy to steal."