GitHub has announced today that account passwords will no longer be accepted for authenticating Git operations starting tomorrow.
This change was first announced last year, in July, when GitHub said that authenticated Git operations would require using an SSH key or token-based authentication.
GitHub also deprecated password-based authentication for authenticating via the REST API beginning with November 13, 2020.
“Starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com,” the company said.
“Instead, token-based authentication (for example, personal access, OAuth, SSH Key, or GitHub App installation token) will be required for all authenticated Git operations.”
If you’re still using a username and password to authenticate Git operations, you should take the following steps to avoid disruption when the new requirements are enacted tomorrow:
- For developers, if you are using a password to authenticate Git operations with GitHub.com today, you must begin using a personal access token over HTTPS (recommended) or SSH key by August 13, 2021, to avoid disruption. If you receive a warning that you are using an outdated third-party integration, you should update your client to the latest version.
- For integrators, you must authenticate integrations using the web or device authorization flows by August 13, 2021, to avoid disruption. For more information, see Authorizing OAuth Apps and the announcement on the developer blog.
If you want to ensure that you’re no longer using password-based authentication, you can enable two-factor authentication, which requires OAuth or personal access tokens for all authenticated operations via Git and third-party integrations.
If you already have two-factor authentication enabled for your GitHub account, you will not be affected by this authentication change in any way since you’re already using token- or SSH-based authentication.
GitHub has improved account security over the years by adding two-factor authentication, sign-in alerts, verified devices, blocking the use of compromised passwords, and WebAuthn support.
The enforced token-based authentication for authenticating Git operations increases GitHub accounts’ resilience against takeover attempts by preventing attackers from using stolen credentials or reused passwords to hijack accounts.
In May, GitHub also added support for securing SSH Git operations using FIDO2 security keys for added protection from takeover attempts.