GitHub has added support for securing SSH Git operations using FIDO2 security keys for added protection from account takeover attempts.
Researchers at North Carolina State University (NCSU) found [PDF] two years ago that more than 100,000 GitHub repositories have leaked API tokens and cryptographic (SSH and TLS) keys after scanning roughly 13% of GitHub’s public repositories over almost six months.
Even worse, they also discovered that thousands of new repositories were also leaking secrets daily.
With GitHub’s newly added feature, you can now use portable FIDO2 devices for SSH authentication to secure Git operations and prevent accidental private key exposure and malware initiating requests without your approval.
“Once generated, you add these new keys to your account just like any other SSH key,” GitHub Senior Security Engineer Kevin Jones said.
“You’ll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key. “
While a private key will be stored on your computer, this is only a reference to your physical security key that’s useless without having access to the actual device.
“When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.”
You can now use FIDO security keys for SSH git operations. Support for ed25519-sk and ecdsa-sk keys has been added to GitHub. https://t.co/E386ZVatoh
— Kevin Jones (@vcsjones) May 10, 2021
To further increase your GitHub account’s resilience against takeover attempts, you should replace all previously registered SSH keys with SSH keys backed by security keys.
This guarantees that you are the only one able to manage your projects’ Git data over SSH while your FIDO2 security key is under your control.
Using only SSH keys backed by FIDO2 devices means that you will not have to keep track of all SSH keys you generate since they are useless without access to the security key they are paired with.
Additionally, GitHub automatically removes any inactive SSH keys (unused in over a year) from your account, thus making key management a lot easier if you’re working on multiple devices or you’ve lost one of them.
To switch to the new SSH Git operations workflow today, you need to log in to your GitHub account, generate a new SSH key for a hardware security key, and then add it to your account.
GitHub has also announced in December that it will switch to token-based authentication starting with August 2021, when account passwords will no longer be accepted for authenticating Git operations.
GitHub was also one of the first to switch to Web Authentication (WebAuthn) for security keys for two-factor authentication and an early adopter of the FIDO Universal 2nd Factor (U2F) open authentication standard.