Token authentication requirements for API and Git operations

As previously announced, beginning November 13th, 2020, we will no longer accept account passwords when authenticating with the REST API and will require the use of token-based authentication (e.g., a personal access, OAuth, or GitHub App installation token) for all authenticated API operations on GitHub.com.

Additionally, today we are announcing our intent to similarly require the use of a personal access token, OAuth token, or SSH key for all authenticated Git operations at a future date. If you have two-factor authentication enabled for your account, you will not be affected by the future Git authentication changes.

We have not announced any changes to GitHub Enterprise Server, which remains unaffected at this time. Likewise, GitHub Apps do not use password authentication and are similarly unaffected by these changes.

Background

In recent years, GitHub customers have benefited from a number of security enhancements to GitHub.com such as two-factor authentication, sign-in alerts, verified devices, preventing the use of compromised passwords, and WebAuthn support. These features make it more difficult for an attacker to take a password that’s been reused across multiple websites and use it to try to gain access to your GitHub account. Despite these improvements, for historical reasons customers without two-factor authentication enabled have been able to continue to authenticate Git and API operations using only their GitHub username and password.

Beginning November 13th, 2020, we will no longer accept account passwords when authenticating via the REST API and will require the use of token-based authentication such as a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators) for all authenticated API operations on GitHub.com.

Use of tokens offer a number of security benefits over password-based authentication:

1. Unique – tokens are specific to GitHub and can be generated per use or per device
2. Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
3. Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
4. Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be

What you need to do today

For developers, if you are using a password to authenticate against the GitHub API today, you must begin using a personal access token prior to November 13th, 2020 to avoid disruption. If you receive a warning that you are using an outdated third-party integration, you should update your client to the latest version.

For integrators, you must authenticate integrations using the web or device authorization flows prior to November 13th, 2020 to avoid disruption. Existing personal access tokens generated with a username and password via the legacy authorizations API will continue to work after November 13th, 2020. For more information, see “Authorizing OAuth Apps” and the announcement on the developer blog.

What you will need to do in the future

Today we are also announcing our intent to require the use of a personal access token, OAuth token, or SSH key for all authenticated Git operations. We aren’t making any changes yet, but hope that communicating this information early will help you plan for any changes you may need to make. You can expect us to share additional details about the change later this year, with the current functionality remaining unchanged through mid-2021.

If you use a username and password to authenticate Git operations today, you should make the following changes to avoid disruption in the future:

1. Follow the instructions to generate a personal access token for command-line use
2. Update your Git configuration to securely store your personal access token (optional, but highly recommended)

Enabling two-factor authentication

If you would like to confirm that you are no longer using password-based authentication, you can enable two-factor authentication for your account today, which requires a personal access or OAuth tokens for all authenticated operations via Git and third-party integrations.

Timeline

• Today – If you are using passwords to authenticate with the API today, you may receive an email urging you to update your authentication method or third-party client.
• September 30th and October 28th – Personal access or OAuth tokens will be temporarily required for all API operations to encourage customers to update their authentication method.
• November 13th – Personal access or OAuth tokens will be required for all authenticated operations via the REST API (a personal access token is already required for authenticating with the GraphQL API).
• Mid-2021 – Personal access or OAuth tokens will be required for all authenticated Git operations.

If you have any questions, please see the developer blog for more details on the previously announced timeline, learn more about keeping your account secure, or contact GitHub Support.

Written by

Ben Balter

@benbalter

Ben Balter is Chief of Staff for Security at GitHub, the world’s largest software development platform. Previously, as a Staff Technical Program manager for Enterprise and Compliance, Ben managed GitHub’s on-premises and SaaS enterprise offerings, and as the Senior Product Manager overseeing the platform’s Trust and Safety efforts, Ben shipped more than 500 features in support of community management, privacy, compliance, content moderation, product security, platform health, and open source workflows to ensure the GitHub community and platform remained safe, secure, and welcoming for all software developers. Before joining GitHub’s Product team, Ben served as GitHub’s Government Evangelist, leading the efforts to encourage more than 2,000 government organizations across 75 countries to adopt open source philosophies for code, data, and policy development.