The Wayback Machine - http://web.archive.org/web/20220818084733/https://github.com/github/roadmap/issues/170
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwordless WebAuthn as a “trusted device” capability #170

Open

github-product-roadmap opened this issue Feb 10, 2021 · 0 comments
Open

Passwordless WebAuthn as a “trusted device” capability #170

github-product-roadmap opened this issue Feb 10, 2021 · 0 comments
Labels
all cloud in design other
Projects
GitHub public roadmap

Comments

@github-product-roadmap
Copy link
Collaborator

github-product-roadmap commented Feb 10, 2021

Summary

In August 2019, GitHub added support for Web Authentication (WebAuthn) security keys, a shared standard for secure authentication on the web. WebAuthn allowed customers to use physical security keys, or in some specific cases, in-device biometric verification as a second factor when logging in to GitHub. At the time, we wrote:

Because platform support is not yet ubiquitous, GitHub currently supports security keys as a supplemental second factor. But we’re evaluating security keys as a primary second factor as more platforms support them. In addition, WebAuthn can make it possible to support login using your device as a “single-factor” security key with biometric authentication instead of a password. Although we’re not ready to announce further plans, we’ll continue to pursue ways to make secure authentication as easy as possible for everyone on GitHub.

As adoption of the WebAuthn standard has become more ubiquitous, we are now able to expand our support for WebAuthn. With "passwordless" WebAuthn, you can log in to github.com using biometric verification such as TouchID or Windows Hello, without needing to type in a password. Logging in with an identity tied to a trusted device is more secure, as it is more resistant to phishing and social engineering attacks. "Passwordless" WebAuthn can also be used to confirm risky actions through biometrics across devices.

Intended Outcome

  1. Customers can login from a trusted device using Touch ID, Face ID, or Windows Hello via their web browser
  2. Customers can confirm risky actions ("sudo") using Touch ID, Face ID, or Windows Hello via their web browser

How will it work?

Upon logging in for the first time from a device that contains a platform-based WebAuthn authenticator (e.g., TouchID, FaceID, or Windows Hello), customers will be prompted if they would like to trust the device. Logged in customers will also be prompted to trust devices when confirming potentially risky actions ("sudo") with their password.

Once a device is trusted, customers can log in to GitHub.com or confirm potentially risking actions through a biometric gesture, without needing to enter their password. Trusted devices can be managed via the account security settings page.
@github github locked and limited conversation to collaborators Feb 10, 2021
@github-product-roadmap github-product-roadmap added this to Q1 2021 – Jan-Mar in GitHub public roadmap Feb 10, 2021
@github-product-roadmap github-product-roadmap added all cloud in design other labels Feb 10, 2021
@github-product-roadmap github-product-roadmap moved this from Q1 2021 – Jan-Mar to Q2 2021 – Apr-Jun in GitHub public roadmap Apr 7, 2021
@github-product-roadmap github-product-roadmap moved this from Q2 2021 – Apr-Jun to Future in GitHub public roadmap Jul 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
all cloud in design other
Projects
GitHub public roadmap
Status: Future
GitHub public roadmap
Future
Milestone
No milestone
Development

No branches or pull requests
1 participant
@github-product-roadmap