As previously announced, beginning November 13th, 2020, we will no longer accept account passwords when authenticating with the REST API and will require the use of token-based authentication (e.g., a personal access, OAuth, or GitHub App installation token) for all authenticated API operations on GitHub.com.

Additionally, today we are announcing our intent to similarly require the use of a personal access token, OAuth token, or SSH key for all authenticated Git operations at a future date. If you have two-factor authentication enabled for your account, you will not be affected by the future Git authentication changes.

We have not announced any changes to GitHub Enterprise Server, which remains unaffected at this time. Likewise, GitHub Apps do not use password authentication and are similarly unaffected by these changes.

Background

In recent years, GitHub customers have benefited from a number of security enhancements to GitHub.com such as two-factor authentication, sign-in alerts, verified devices, preventing the use of compromised passwords, and WebAuthn support. These features make it more difficult for an attacker to take a password that’s been reused across multiple websites and use it to try to gain access to your GitHub account. Despite these improvements, for historical reasons customers without two-factor authentication enabled have been able to continue to authenticate Git and API operations using only their GitHub username and password.

Beginning November 13th, 2020, we will no longer accept account passwords when authenticating via the REST API and will require the use of token-based authentication such as a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators) for all authenticated API operations on GitHub.com.

Use of tokens offer a number of security benefits over password-based authentication:

#security #api #security