Around two years back, North Carolina State University researchers discovered [PDF] that over 100,000 GitHub repositories had leaked cryptographic (TLS and SSH) keys and API tokens. The researchers discovered this by scanning only 13% of its public repositories over six months and found that thousands of new repositories were leaking secrets almost daily.
GitHub Announces to Support Security Keys
To prevent account takeover in SSH Git operations, GitHub has now added support for security keys. This new feature will allow users to use portable devices when performing SSH authentication to secure Git operations and avoid accidentally exposing private keys or malware pushing requests without user approval.
According to Kevin Jones, GitHub’s senior security engineer, you can add them to your account like any other SSH key after generating the keys.
“You’ll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key,” Jones explained.
SEE: GitHub Announces Blocking Google’s FLoC
It is crucial to replace all your previously registered SSH keys with security keys-backed SSH keys to improve your account’s resilience against compromise further. Security keys include Thetis Fido U2F Security Key, YubiKey, and Google Titan Security Keys.
