GitHub updates the platform with password keys and DevOps streamlining

GitHub introduced two new features to strengthen developer security and improve the developer experience.

In a public beta, the platform has revealed password authentication, and provides users with a passwordless and secure method of accessing their accounts. Passkeys replace conventional passwords and two-factor authentication (2FA) methods, improving security and reducing the risk of account breaches.

“Passkeys provide the strongest mix of security and reliability and make accounts significantly more secure without compromising account access, which remains an issue with other 2FA methods such as SMS, TOTP, and existing single-device security keys,” said Hirsch Sighal, staff product manager at GitHub , told VentureBeat. “With our new update, developers can easily register a password on their GitHub account and stop using a password for good.”

The platform has also introduced a new automated branch management feature, the merge queue. This feature allows multiple developers to commit code while seamlessly handling pull requests that align with subsequent changes. In the event of a problem, the developer is immediately notified.

Engineers faced the challenge of merging directly with a busy branch, which can lead to code conflicts and a frustrating rework cycle.

The GitHub merge queue solves this problem by creating a temporary branch. This branch contains the most recent changes from the base branch, the changes from other pull requests already in the queue, and the changes from new pull requests.

The company claims that these updates prioritize developer security and streamline the development process, enhancing GitHub’s reputation as a reliable and easy-to-use platform.

Streamline the developer experience through a merge queue

Before the merge queue feature, developers were often in a cycle of updating their pull request branches before merging. This step was necessary to ensure that their changes would not interfere with the main code branch when merging.

Each update required another round of continuous integration (CI) checks to be completed before the developer could proceed with the merge. In addition, each developer had to repeat the entire process if another pull request was merged.

To simplify and automate this workflow, the merge queue systematically orchestrates the merge of code-pull requests. Each pull request in the queue is built in conjunction with the previous pull requests.

When a user’s pull request is directed to a branch using the merge queue, the user can add it to the queue by clicking “merge when ready” on the pull request page or via GitHub Mobile, once it meets the merge requirements.

This action creates a temporary branch within the queue, which includes the latest changes from the base branch, the changes from other pull requests already in the queue, and the changes from the user’s pull request.

If a queued pull request encounters merge conflicts or fails a mandatory health check, it is automatically removed from the queue once it reaches the front of the queue.

At the same time, a notification is sent to the user. Once the issue is resolved, the pull request can be added back to the queue.

For a comprehensive overview of the status of the queue, developers can access the queue details page through the branches or pull request page. This page provides a glimpse of the queued pull requests, along with the status of each request, including the required health checks and an estimated time for the merge.

It also provides insight into the number of aggregated pull requests and tracks trends over the past 30 days.

Better code security through passkeys

GitHub’s Singhal said most security breaches are due to cheap and common attacks, including social engineering, credential theft and leakage. He overrides that 80% of data breaches are due to passwords.

The company has introduced its passkey feature in response. This strengthens developers’ account security while ensuring a seamless user experience. The platform had previously implemented a 2FA initiative; now it is expanding its efforts further with the introduction of passkey authentication on GitHub.com.

“Password or token theft is the leading cause of account takeovers (ATO). GitHub offers secret scans to scan for leaked secrets (such as passwords or tokens) to reduce theft, and the enhanced password key security gives us a strong way to prevent password theft and ATO,” Singhal told VentureBeat.

Singhal emphasized that password keys are more resistant to phishing attempts than traditional passwords and are significantly harder to guess.

“You don’t have to remember anything either – your devices do that for you, verifying your identity before authenticating to whatever website you visit. So they’re generally safer, easier to use and harder to lose,” he added.

Keep your access if you lose your phone

He said a common scenario that leads to losing access to a GitHub account is breaking or replacing a phone. This unfortunate situation occurs when a user sets up 2FA on a device which then malfunctions, leaving them unable to use any remaining 2FA methods and effectively denying them access to their account.

Passkeys offer a solution by enabling cross-device synchronization powered by reputable passkey providers such as iCloud, Dashlane, 1Password, Google, and Microsoft.

These providers and others have established secure systems that ensure seamless transfer of access keys between devices and to the cloud. As a result, loss of or damage to a single device no longer means permanent loss of the access key.

“At a technical level, passkeys are a private-public key pair generated per domain. This ensures three things: no two access keys are the same; phishing resistance; and hack-proof credentials,” explains Singhal. “The main advantage is the ease of logging in on new devices without compromising the security of your account. You can have a password on your phone and use it to log into the library, for example, without having to resort to backup credentials or your password.

Classic cross-device authentication (CDA) in OAuth2 relies on the device code stream, which is a vulnerability to replay attacks. In such attacks, an attacker manipulates the situation by forwarding a QR code or login code from the device to the victim. If the victim uses this code to log in, he is unknowingly authorizing the attacker’s session.

CDA takes a different approach with passkeys. It establishes a secure and dedicated channel between the two devices involved. This unique channel allows one device to use another device’s access code without revealing the actual credential.

Singhal emphasized that the new update also increases resistance to phishing attempts. This is achieved by the authentication device, such as a phone, verifying proximity to the requesting device, such as a laptop.

This means that an attacker cannot forward the CDA QR code to a victim and let them use it to log in – the phone scans the QR code and looks for the attacker’s computer to connect to “, he said. “And since it’s not there, the authentication fails, and so does the attack.”