33

I recently started getting notifications about the GitHub deprecation of basic authentication using a password to Git - see their blog post https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/.

In this post, they say the following:

For developers, if you are using a password to authenticate Git operations with GitHub.com today, you must begin using a personal access token over HTTPS (recommended) or SSH key by August 13, 2021, to avoid disruption.

A short while ago, I started using SSH keys on some of the machines I use anyway to avoid entering my password regularly or storing it unencrypted with credential helper. However, as per above, they say personal access tokens are "recommended".

What I would like to know is what are the key differences between each of these methods? This is to get some insight into why tokens are "recommended" and whether it is worth switching to this method of authentication.

Callum Wilson
  • 349
  • 1
  • 3
  • 7

1 Answers1

29

From the blog post you linked, I can see at least one benefit of tokens over SSH keys: while tokens and SSH keys both share the Unique, Revocable, and Random benefits quoted in the blog post below, tokens are also Limited in comparison to SSH keys in that they come with their own scoped permissions baked in:

GitHub Personal Access Token scopes screenshot

While SSH keys can be read-only or read-write enabled, or scoped to specific repositories, personal access tokens do have an edge in terms of their finer-grained permissions model in comparison. This is likely why GitHub recommends tokens over SSH keys.

Tokens offer a number of security benefits over password-based authentication:

  • Unique – tokens are specific to GitHub and can be generated per use or per device
  • Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
  • Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
  • Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be
Adil B
  • 14,635
  • 11
  • 60
  • 78
  • they could have put the work into making ssh keys have scoped permissions too. would have made zero difference. instead we get this mess :( – kritzikratzi Jan 24 '23 at 22:55