Around two years back, North Carolina State University researchers discovered [PDF] that over 100,000 GitHub repositories had leaked cryptographic (TLS and SSH) keys and API tokens. The researchers discovered this by scanning only 13% of its public repositories over six months and found that thousands of new repositories were leaking secrets almost daily.
GitHub Announces to Support Security Keys
To prevent account takeover in SSH Git operations, GitHub has now added support for security keys. This new feature will allow users to use portable devices when performing SSH authentication to secure Git operations and avoid accidentally exposing private keys or malware pushing requests without user approval.
According to Kevin Jones, GitHub’s senior security engineer, you can add them to your account like any other SSH key after generating the keys.
“You’ll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key,” Jones explained.
It is crucial to replace all your previously registered SSH keys with security keys-backed SSH keys to improve your account’s resilience against compromise further. Security keys include Thetis Fido U2F Security Key, YubiKey, and Google Titan Security Keys.
Difference between Private Keys and Security Keys
A private key is stored on your computer and serves as a reference to your physical security key, but it will be useless if you don’t have access to the actual device. Security keys are portable dongles that provide an additional security layer to your online accounts or services.
With a security key, “none of the sensitive information ever leaves the physical security key device. If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times,” Jones said.
So, you can manage your project’s Git data over SSH and keep the security key under your control. You won’t have to keep track of all SSH keys generated, and GitHub will automatically remove all inactive SSH keys that haven’t been used over a year from your account. This will make key management easier if you are using multiple devices or lose a key.
“We recognize that passwords are convenient, but they are a consistent source of account security challenges. We believe passwords represent the present and past, but not the future. […] By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain,” Jones wrote in the blog post.