GitHub announced today the introduction of passwordless authentication support in public beta, allowing users who opt-in to upgrade from security keys to passkeys.
Very mixed feelings on GitHub’s recent approaches to security. Tighter security measures are great, but deprecating password authentication on git operations seems obtuse to me. What if I want to push a change from a machine that’s not mine and doesn’t have my registered SSH key on it? I don’t have a Yubikey or anything similar nor do I intend to get one in the foreseeable future.
I’m with you on this. How on earth are one-off login events supposed to work? I want nothing about me logging on to be stored on that device or account other than, for example, the code I download. Maybe I’m missing something but the search I just did suggested connecting my phone via bluetooth, which is also not an option.
I just got a repo token and do git add remote origin https://REPO_TOKEN@github.com/username/repo.git and say bye-bye to usernames and passwords. Easiest pushes and pulls ever with private, public or org repos.
we’re talking about a hypothetical one-off situation on a computer that isn’t yours though; right? That happens from time to time, and an authentication process that requires you to persist your auth information on disk carries some extra risks. You need to remember to delete it when you’re done.
Very mixed feelings on GitHub’s recent approaches to security. Tighter security measures are great, but deprecating password authentication on git operations seems obtuse to me. What if I want to push a change from a machine that’s not mine and doesn’t have my registered SSH key on it? I don’t have a Yubikey or anything similar nor do I intend to get one in the foreseeable future.
I’m with you on this. How on earth are one-off login events supposed to work? I want nothing about me logging on to be stored on that device or account other than, for example, the code I download. Maybe I’m missing something but the search I just did suggested connecting my phone via bluetooth, which is also not an option.
I just got a repo token and do
git add remote origin https://REPO_TOKEN@github.com/username/repo.git
and say bye-bye to usernames and passwords. Easiest pushes and pulls ever with private, public or org repos.But now you have the only credential, the REPO_TOKEN in plaintext in your .git/config file. That’s even worse.
Edit: typo
That’s how a lot of tools work. Your maven password is in .m2/settings.xml
Your ssh private key is in .ssh/id_rsa
The only person with access to these files should be you. If anyone else does then your machine is compromised
we’re talking about a hypothetical one-off situation on a computer that isn’t yours though; right? That happens from time to time, and an authentication process that requires you to persist your auth information on disk carries some extra risks. You need to remember to delete it when you’re done.
You don’t need to remember to delete it, you can revoke the access from your github account.
Then it’s useless.