GitHub is urging its base of users to enable two-factor authentication as the platform shakes up how it protects accounts from compromise.GitHub stopped accepting account passwords when authenticating Git operations. The platform now requires people to use stronger authentication factors like personal access tokens, SSH keys, or OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com.

GitHub stopped accepting account passwords when authenticating Git operations. The platform now requires people to use stronger authentication factors like personal access tokens, SSH keys, or OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com.

In addition to ditching passwords, GitHub has taken other measures like investing in verified devices, preventing the use of compromised passwords, supporting WebAuthn and more. GitHub announced the move in December.

There are a number of options available for using 2FA on GitHub, including: Physical security keys, such as YubiKeys. Virtual security keys built-in to your personal devices, such as laptops and phones that support. WebAuthn-enabled technologies, like Windows Hello or Face ID/Touch ID. Time-based One-Time Password (TOTP) authenticator apps Short Message Service (SMS).

Github was pushing users to take advantage of security keys or TOTPs instead of SMS, noting that it “does not provide the same level of protection and it is no longer recommended under NIST 800-63B.”

Passwords alone are simply no longer enough for sensitive and high-risk activities; they’re too difficult to manage and too easy to steal. Strong authentication has become not just important but essential to better protecting our accounts, so GitHub’s move is a huge step in the right direction,a future without passwords.