GitHub is also one of the few big sites that support Passkeys for 2FA. You can use your Trusted Platform Module, Yubikey, or any Secure Enclave equipped Mac to 2FA.
> GitHub is also one of the few big sites that support Passkeys for 2FA.
Not yet, it seems? "Lastly, we’re already testing passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. Keep an eye on this space for when this functionality is ready for you."
Passkeys are WebAuthn "discoverable credentials", meaning they contain a user identifier as well as a private key for signing.
When a site fully supports passkeys, you are able to sign in to your account without having to enter a username, just by using your site-specific passkey (e.g. https://www.passkeys.io).
GitHub's current implementation is based on pre-passkey WebAuthn that allows you to add a non-discoverable credential as 2nd factor. To sign in, you still need to enter your username, your password, and then get prompted for your WebAuthn credential, which can be stored on a physical security key, but also on your devices via the platform authenticator capability (Windows Hello, Touch ID, ...).
So, while GitHub's current 2nd-factor WebAuthn implementation (as awesome as it is) is not "passkey", I'm sure they will be among the first bigger websites to launch full passkey capabilities on their login page pretty soon.
I also learned that it's possible to create an ECDSA key pair within the Secure Enclave, and it is only possible to extract the public key, or to authenticate with it, including when you SSH to GitHub. Your private key is never on disk.
Not yet, it seems? "Lastly, we’re already testing passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. Keep an eye on this space for when this functionality is ready for you."