[JensenDied]

I found this out the hard way as well, at some point since I last logged in they quietly enacted a policy of deleting keys that aren't used for roughly a year.[1] This meant I couldn't use the not so public method of verifying I still had access to various associated keys.

[1] https://help.github.com/en/github/authenticating-to-github/d...

[soheil]

Now that you mention this I vaguely recall receiving an email from them a long time ago that they were going to purge my keys. Wow so much of this is beginning to make sense. Why would they remove keys that people unknowingly may be relying on as the only way to gain access to their account?

[lilyball]

Why should they support holding onto SSH keys forever in case you forgot to write down your backup 2FA codes, especially when they've never advertised that they'll accept SSH key-signed artifacts as proof of identity?

[derefr]

Why would they purge SSH keys when they don't purge anything else? Why not just purge the whole account after a year of inactivity, if they care so much about space?

[lilyball]

It's clearly not about space. Old SSH keys are a security hazard. Even moreso keys you aren't using anymore and therefore may not be particularly careful with.

Heck, even in this very scenario, if I haven't used an SSH key with GitHub in many years, and then GitHub receives an artifact signed with that key saying "I lost my 2FA token and backup codes, please reset account auth so I can log back in", I very much do not want GitHub to trust that artifact. If I haven't used the key in years, that probably means I don't have it anymore and either never got around to removing it from GitHub or forgot it was there.

[soheil]

That was the only way I had access to my account completely unbeknownst to me. Had I known keys are the only way I would have remedied the situation.