• AggressivelyPassive@feddit.de
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Maybe I’m misinterpreting something here, but wouldn’t that mean, I can’t just access my account if I lose my auth device? Am I supposed to always have a passkey device locked somewhere safe?

      • AggressivelyPassive@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        So, it’s just a password with a different name.

        Seriously, what is the functional difference between this and stricter password requirements? I don’t see it.

        • robobrain@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Passkeys use a challenge/response protocol that doesn’t transmit any actual secrets. This makes them phishing resistant as you can’t just “type in your passkey secret” it gitnub .com

  • static_motion@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Very mixed feelings on GitHub’s recent approaches to security. Tighter security measures are great, but deprecating password authentication on git operations seems obtuse to me. What if I want to push a change from a machine that’s not mine and doesn’t have my registered SSH key on it? I don’t have a Yubikey or anything similar nor do I intend to get one in the foreseeable future.

      • dbx12@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        1 year ago

        But now you have the only credential, the REPO_TOKEN in plaintext in your .git/config file. That’s even worse.

        Edit: typo

        • MostlyHarmless@programming.dev
          link
          fedilink
          arrow-up
          0
          ·
          1 year ago

          That’s how a lot of tools work. Your maven password is in .m2/settings.xml

          Your ssh private key is in .ssh/id_rsa

          The only person with access to these files should be you. If anyone else does then your machine is compromised

          • HairHeel@programming.dev
            link
            fedilink
            arrow-up
            0
            ·
            1 year ago

            we’re talking about a hypothetical one-off situation on a computer that isn’t yours though; right? That happens from time to time, and an authentication process that requires you to persist your auth information on disk carries some extra risks. You need to remember to delete it when you’re done.