GitHub Expresses Disapproval of Account Password Authentication for Git Operations
Token-based Authentication Will Be Required for All Authenticated Git Operations.
According to the cloud-based hosting service provider GitHub, as of August 13th, 2021, account passwords are no longer accepted for validating Git operations.
The announcement is not new as in July 2020 GitHub declared that all authenticated Git operations will necessitate the use of a private access token, OAuth token, or SSH key.
As they previously announced, password-based authentication for authenticating via the REST API also stopped being accepted starting November 13, 2020.
Starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com.
Instead, token-based authentication (for example, personal access, OAuth, SSH Key, or GitHub App installation token) will be required for all authenticated Git operations.
In order to prevent a situation where individuals might experience disruption because they still use a username and password to authenticate Git operations, GitHub urges them to take the following measures:
- For developers, if you are using a password to authenticate Git operations with GitHub.com today, you must begin using personal access token over HTTPS (recommended) or SSH key by August 13, 2021, to avoid disruption. If you receive a warning that you are using an outdated third-party integration, you should update your client to the latest version.
- For integrators, you must authenticate integrations using the web or device authorization flows by August 13, 2021, to avoid disruption. For more information, see Authorizing OAuth Apps and the announcement on the developer blog.
In order to make sure that you’re no longer using password-based authentication, you can enable two-factor authentication, which requires OAuth or personal access tokens for all authenticated operations via Git and third-party integrations.
It’s important to know that you will not be affected by this change if :
- You have two-factor authentication enabled for your GitHub account. In this case, you are already required to use token- or SSH-based authentication.
- You use GitHub Enterprise Server, there were no changes announced for it.
- You keep using a GitHub App, GitHub Apps do not tolerate password authentication.
The new change is meant to add an extra layer of protection for GitHub accounts against cyberattacks conducted by threat actors who might try to use stolen credentials.