Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
GitHub has introduced two new features to bolster developer security and improve the development experience.
In a public beta release, the platform has unveiled passkey authentication, offering users a passwordless and secure method of accessing their accounts. Passkeys supersede conventional passwords and two-factor authentication (2FA) methods, delivering increased security while mitigating the risk of account breaches.
“Passkeys offer the strongest mix of security and reliability and make accounts significantly more secure without compromising account access, which remains an issue with other 2FA methods like SMS, TOTP and existing single-device security keys,” Hirsch Sighal, staff product manager at GitHub, told VentureBeat. “With our new update, developers can easily register a passkey on their GitHub account and stop using a password forever.”
The platform has also introduced a new automated branch management feature known as the merge queue. This feature empowers multiple developers to commit code while it seamlessly handles pull requests that align with subsequent changes. In the event of a problem, the developer is promptly alerted.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
Engineers have faced the challenge of merging directly onto a busy branch, which can lead to code conflicts and a frustrating cycle of rework.
GitHub’s merge queue addresses this issue by creating a temporary branch. This branch incorporates the most recent changes from the base branch, the changes from other pull requests already in the queue, and the changes from new pull requests.
The company asserts that these updates prioritize developer security and streamline the development process, augmenting GitHub’s reputation as a reliable and user-friendly platform.
Streamlining developer experience through merge queue
Before the merge queue feature, developers often found themselves in a cycle of updating their pull request branches before merging. This step was necessary to ensure their changes would not disrupt the main code branch upon merging.
With each update, a fresh round of continuous integration (CI) checks had to be completed before the developer could proceed with the merge. Additionally, if another pull request was merged, every developer had to repeat the entire process.
To simplify and automate this workflow, merge queue systematically orchestrates the merging of code pull requests. Each pull request in the queue is built in conjunction with the preceding pull requests.
When a user’s pull request is targeted at a branch using merge queue, the user can add it to the queue by clicking “merge when ready” on the pull request page, or via GitHub Mobile, once it meets the requirements for merging.
This action creates a temporary branch within the queue, encompassing the latest changes from the base branch, the changes from other pull requests already in the queue, and the changes from the user’s pull request.
If a pull request in the queue encounters merge conflicts or fails any mandatory status checks, it is automatically removed from the queue upon reaching the front of the queue.
Simultaneously, a notification is sent to the user. Once the issue is resolved, the pull request can be added back to the queue.
For a comprehensive overview of the queue’s status, developers can access the queue details page via the branches or pull request page. This page provides a glimpse of the pull requests in the queue, along with the status of each, including the required status checks and an estimated time for merging.
It also offers insights into the number of merged pull requests, and tracks trends over the last 30 days.
Better code protection through passkeys
GitHub’s Singhal said that most security breaches result from inexpensive and common attacks, including social engineering, credential theft and leakage. He asserts that over 80% of data breaches are attributable to passwords.
The company has introduced its passkeys feature in response. This bolsters developers’ account security while ensuring a seamless user experience. The platform had earlier implemented a 2FA initiative; now it further expands its efforts with the introduction of passkey authentication on GitHub.com.
“Password or token theft is the leading cause of account takeovers (ATO). GitHub offers secret scanning to scan for leaked secrets (like passwords or tokens) to reduce theft, and the enhanced security from passkeys gives us a strong way to prevent password theft and ATO,” Singhal told VentureBeat.
Singhal emphasized that passkeys offer greater resistance to phishing attempts than traditional passwords do and are significantly more difficult to guess.
“You don’t have to remember anything either — your devices do that for you and verify your identity before they authenticate with whatever website you’re accessing. So they’re generally more secure, easier to use and harder to lose,” he added.
Keep your access if you lose your phone
He said that a common scenario leading to losing access to a GitHub account is the breakage or replacement of a phone. This unfortunate situation occurs when a user sets up 2FA on a device that subsequently malfunctions, leaving them unable to use any remaining 2FA methods and effectively locked out of their account.
Passkeys offer a solution by enabling cross-device synchronization facilitated by reputable passkey providers such as iCloud, Dashlane, 1Password, Google and Microsoft.
These providers and others have established secure systems that ensure the seamless transfer of passkeys across devices and to the cloud. As a result, loss of or damage to a single device no longer means permanent loss of the passkey.
“At a technical level, passkeys are a private-public keypair that’s generated on a per-domain basis. This ensures three things: No two passkeys are the same; phishing resistance; and hack-proof credentials,” explained Singhal. “The core benefit is the ease of signing in to new devices without compromising your account’s security. You can have a passkey on your phone and use it to sign in at the library, for instance, without resorting to backup credentials or your password.”
Classic cross-device authentication (CDA) in OAuth2 relies on the device code flow, which poses a vulnerability to replay attacks. In such attacks, an attacker manipulates the situation by forwarding a QR code or device login code to the victim. If the victim uses this code to sign in, they authorize the attacker’s session unwittingly.
With passkeys, CDA takes a different approach. It establishes a secure and dedicated channel directly between the two devices involved. This unique channel enables one device to use the passkey from another without exposing the actual credential.
Singhal emphasized that the new update also boosts resistance to phishing attempts. This is achieved through the authenticating device, such as a phone, verifying the proximity of the requesting device, such as a laptop.
“This means an attacker can’t forward the CDA QR code to a victim and have them use it to sign in — the phone will scan the QR code and start looking for the attacker’s computer to connect to,” he said. “And since it’s not there, the authentication fails, and so does the attack.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.