-
This discussion is for feedback on the public beta of passkeys on GitHub.com. Please let us know any issues you run into, ideas you have to improve the feature, or questions you might have about it. Handy docs
Known issues
Preview limitations
|
Beta Was this translation helpful? Give feedback.
Replies: 57 comments 175 replies
-
Using Chrome 114.0.5735.198 on Linux, and I'm getting
The result of |
Beta Was this translation helpful? Give feedback.
-
@hpsin Would you please share the justification or threat model for passkeys to automatically bypass 2FA? It seems less secure to fully trust a single passkey provider compared to a traditional password manager with a separate 2FA device. With password+2FA, even if my password manager is completely compromised, my 2FA enabled accounts are protected from unauthorized login because my 2FA secrets/codes are not stored in my password manager. With a passkey and GitHub's implementation of 2FA bypass, the passkey manager is entrusted with the key and also trusted to perform the second factor auth, but is now a single point of failure/vulnerability. I would like to be able to still require 2FA on my GitHub account (which I can configure on a separate device) and just use passkeys as a password replacement. I would also like to be able to enforce this for my GitHub organization members. |
Beta Was this translation helpful? Give feedback.
-
It appears as though in this you are forcing resident-key=required. This is a problem because almost CTAP2 devices have extremely limited storage for resident keys. It is common for this to vary from 8 to 32 key slots. As users enroll their devices to sites or have multiple accounts, this will rapidly consume that space. To make this worst, as most devices currently on the market are CTAP2.0, they have no way to delete a resident key once created. It's also key to note, many users of github will be early adopters and will likely use yubikeys and other devices which this issue affects. Since you have no way to prevent a CTAP2 device being used (since to allow caBLE means you allow roaming authenticators, which also allows usb-hid), you very likely will contribute to user keys running out of storage with this scheme. There are many ways you can proceed that don't force key residence! Many platform authenticators under "discouraged" will create a resident key anyway, and will set that in their credProps allowing the usernameless workflow (which you can trigger in the username field with conditional ui) - but you should also allow passwordless workflows where a user enters their username, conditional ui isn't completed, then you can look up the user and prompt for their non-resident key. This will allow users to use "passkeys" without damaging their devices, while still allowing usernameless as an option with conditional ui. |
Beta Was this translation helpful? Give feedback.
-
In the feature preview, the |
Beta Was this translation helpful? Give feedback.
-
Chrome 114.0.5735.199 (latest public) is not passkey compatible? |
Beta Was this translation helpful? Give feedback.
-
I have Windows Hello added as a "security key" (on Windows 11) – it already works for 2FA and I get the offer to upgrade it to a passkey, but doing so pops up the Hello dialog that requires me to connect a hardware key. This happens equally with Chrome 114 and Firefox 114. (On the other hand, I've successfully upgraded the Android Chrome "security key" to a passkey, and was able to use it from the same Windows 11 through the bluetooth thingy Chrome does.) |
Beta Was this translation helpful? Give feedback.
-
I don't see the (documented) Sign in with a passkey option anywhere on the GitHub login page... I checked that page in these browsers:
Note that I use (the) 1Password (browser extension) as my passkey provider (although I also use iCloud Keychain as a backup). |
Beta Was this translation helpful? Give feedback.
-
Is there any separate login page as I can't see "login with passkey" button on any browser on my system, and yes I already registered passkey on my account. |
Beta Was this translation helpful? Give feedback.
-
Will we eventually be able to remove our password from our accounts in favor of using passkeys? Just did this with my personal Microsoft account and have been loving it. |
Beta Was this translation helpful? Give feedback.
-
Hey folks! Thank you all for your feedback and discussion. With your help we've taken passkeys to GA, and every user can now register and use the on GitHub.com. You can find our launch blog post here, which includes an overview of the changes made since the beta based on your feedback. If you find additional issues or have more feedback, we're tracking that here. |
Beta Was this translation helpful? Give feedback.
-
Github passkey implementation requires UserVerification on navigator.credentials.get() calls, but does not verify UV flag in the returned assertion. Some Apple devices returns UV=false assertion even when UserVerification=required, thus in such devices, users can sign-in w/o local authentication. |
Beta Was this translation helpful? Give feedback.
-
I just came across an issue that I can't seem to solve. I had my Android phone registered as a passkey and everything worked well. I had to factory reset my phone last night and ever since I can't use my phone as a passkey any more. At first I thought it was the old passkey which caused trouble so I deleted it from Github and from my phone, but when I try to register again it always fails now (Error: Passkey registration failed). I've tried both, setting it up from a Macbook via bluetooth, or via the browser on the phone itself, but nothing works. Passkeys are otherwise working well, for example with my Google login. |
Beta Was this translation helpful? Give feedback.
-
It's stated here that hardware keys are ineligible for upgrade to passkeys, unless the hardware key is user-identifying, but I was able to upgrade my YubiKey 5C to a passkey - I believe this is because the security key is FIDO2-capable. |
Beta Was this translation helpful? Give feedback.
-
i am try for Passkeys public beta, its working for windows 10. thanks |
Beta Was this translation helpful? Give feedback.
-
I have 2FA enabled with OTP stored in my iCloud Keychain and additionally is my phone number verified. after i use fingerprint key on my macbook there is an error with passkeys. Can anyone help me with this problem? |
Beta Was this translation helpful? Give feedback.
-
Is the Conditional UI API not implemented as demonstrated in the blog post?
This would help to circumnavigate the issue of lack of "login in with passkey" on login page by suggesting passkey in the autofill form itself. |
Beta Was this translation helpful? Give feedback.
-
Well, I'm not giving away anything biometric, because god forbid that data ever leaks. Then that identifier is leaked for life. And if in the long run only a hardware key is to be used as an option.. you'd better be prepared to give me options to secure access to my account if a hardware key access is lost for whatever reason. In short, doing away with passwords is a terrible idea. It's literally waiting for Murphy. I would suggest enforcing strong generated PWs + 2FA instead. Chrome for instance have a military grade generator built in. |
Beta Was this translation helpful? Give feedback.
-
Is this expected behaviour? (I expected that I could use YubiKeys as passkeys as well) |
Beta Was this translation helpful? Give feedback.
-
When logging in using a passkey, Safari shows me two passkeys for a single GitHub account. However, only one works; the other one gives this error:
Surprisingly, there's only 1 github.com entry in the Passwords section of System Settings. There's also only 1 github.com entry in the Passwords tab of Safari's settings. In fact, both are the same entry, because renaming one immediately renames the other as well. Where can I find the other invalid passkey and how can I delete that one? |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Simple process iOS however when adding to iOS keychain. The GitHub passkey is added as new password entry and not to existing GitHub password. |
Beta Was this translation helpful? Give feedback.
-
However, when I log in (old-fashioned) using username/password, GitHub is always using the GitHub mobile App (for iOS) instead of a passkey as 2FA second factor. Is this a bug? Or should I (re)add the passkey as a security key for that? |
Beta Was this translation helpful? Give feedback.
-
I constantly get the message: Passkey registration failed. I am running macOS 12.3. |
Beta Was this translation helpful? Give feedback.
-
I found something that's not really a bug, but it's part of the authentication flow, if I login and get to the 2FA screen, then hit back, and then click "Sign in using a Passkey", I get the following page. It's probably the re-use of the |
Beta Was this translation helpful? Give feedback.
-
I love it, works perfectly on Windows 11 and Edge browser (both latest stable versions) |
Beta Was this translation helpful? Give feedback.
-
I tried the passkey upgrade directions for my 2FA security keys, but the passkey registration failed. I was using the SoloKeys Solo 1 USB-A, Solo 2A, and Solo 2C. |
Beta Was this translation helpful? Give feedback.
-
I'm using the latest chrome v115 but it seems like I can't set it up here. any fix to this issue? or am i the only one who has experienced this issue? |
Beta Was this translation helpful? Give feedback.
Hey folks! Thank you all for your feedback and discussion. With your help we've taken passkeys to GA, and every user can now register and use the on GitHub.com.
You can find our launch blog post here, which includes an overview of the changes made since the beta based on your feedback.
If you find additional issues or have more feedback, we're tracking that here.