How to Enable Passkeys on GitHub (2025 Step-by-Step Guide)

2025-04-19 ~6 min read

GitHub is where developers store code, and your GitHub account is a gateway to critical infrastructure. Passkeys provide the strongest possible security: passwordless authentication that's phishing-proof and impossible to compromise remotely.

GitHub added passkey support in 2024, and it's now the recommended way to secure your account. This guide walks you through setup in under 5 minutes.

What Are GitHub Passkeys?

Passkeys are a modern replacement for passwords. Instead of typing a password, you authenticate using:

Your device: A phone, laptop, or security key
Your biometric: Face ID, fingerprint, or PIN
Cryptography: A unique key pair that proves your identity

Your actual password never exists. This eliminates password reuse, phishing, and brute-force attacks.

Why Passkeys Matter for Developers

Your GitHub account controls:

All your repositories (public and private)
Access tokens for CI/CD pipelines
SSH keys used in production
Account settings and permissions

If someone hacks your GitHub account, they could steal code, inject malware, or compromise deployed applications. Passkeys prevent this entirely.

Requirements

A GitHub account with access to settings
A device with biometric/PIN support:
- iPhone/Mac (Face ID or Touch ID)
- Android phone (fingerprint or face recognition)
- Windows laptop (Windows Hello)
(Optional) A security key like YubiKey for maximum security

Step-by-Step: Enable Passkeys on GitHub

Step 1: Log Into GitHub Settings

Go to github.com and log in
Click your profile photo (top right) → "Settings"
In the left menu, click "Password and authentication"
You'll see a section called "Passkeys"

Step 2: Register Your First Passkey

Click "Register a new passkey"
Give your passkey a name (e.g., "iPhone Face ID" or "YubiKey")
Click "Register passkey"
GitHub will prompt you to verify your identity (use your current password or 2FA)

Step 3: Complete Passkey Registration

Your browser will prompt you to create a passkey
Choose your device/method:
- This device: Uses your phone/computer's biometric
- A security key: Use a YubiKey or similar
- Another device: Use your phone to scan a QR code
Follow the biometric prompt (Face ID, fingerprint, PIN, etc.)
GitHub will confirm the passkey was registered

💡 Pro tip: Register at least 2 passkeys—one on your main device and one backup (another phone or a security key). This way you're never locked out.

Step 4: Register a Backup Passkey

Go back to "Password and authentication"
Click "Register a new passkey" again
Choose a different device (e.g., if you used your iPhone, use your Apple Watch or Android phone)
Complete the registration

Step 5: Keep Your Password (For Now)

GitHub still requires a password for recovery and CLI access
Make sure your password is strong (16+ characters)
You can change it in the same "Password and authentication" section
Consider using a password manager to generate and store it

Note: GitHub hasn't made passkeys completely passwordless yet. You still need a password for recovery, but it's no longer used for regular sign-ins.

Step 6: Enable Passkey-Only Login (Optional)

Once you have passkeys set up, go to "Password and authentication"
Look for "Passkey-only sign-in" option
If available, enable it to disallow password-based sign-in entirely
This provides maximum security but requires passkeys for everything

Signing In With Your Passkey

After setup, signing into GitHub is simple:

Visit github.com
Enter your GitHub username/email
Instead of a password field, click "Sign in with passkey"
Your browser will ask for biometric authentication
Use Face ID, fingerprint, or your security key
You're logged in instantly

CLI Authentication With Passkeys

Important: GitHub CLI (`gh`) doesn't yet support passkey authentication. You'll need to use Personal Access Tokens (PATs) for command-line access.

Go to Settings → Developer settings → Personal access tokens
Create a new token with `repo` scope
Save this token in your password manager
Use this token instead of your password for CLI authentication

Pro tip: Store your PAT in a password manager and use `gh auth login` to authenticate your CLI. Never paste your token directly into commands.

What If You Lose Your Passkey?

If you lose your phone or security key:

You still have other passkeys? Sign in with a different passkey and register a new one
You've lost all passkeys? Use your password or recovery codes to sign back in, then register new passkeys
You're locked out completely? Contact GitHub support (they can verify your identity and help recover access)

This is why registering backup passkeys is crucial.

Security Considerations

Phishing Protection

Passkeys are bound to github.com. Even if you visit a phishing site that looks identical to GitHub, your passkey won't authenticate. This prevents one of the most common attack vectors.

No Password Reuse

Since you don't have a GitHub password to remember, there's no temptation to reuse it elsewhere. Each account gets its own security model.

Biometric Security

Your biometric (Face ID, fingerprint) is processed locally on your device and never sent to GitHub. It's the most secure authentication method available.

Next Steps

After securing GitHub with passkeys:

Enable 2FA on your email account - Your email is the recovery path if you lose all passkeys
Audit access tokens - Review and remove old Personal Access Tokens in Developer Settings
Check SSH keys - Make sure only your current keys are registered
Enable commit signing - Sign commits with GPG keys to prove your work is authentic
Set up backup authentication - Register passkeys on multiple devices

Learn more about FIDO2 and passwordless authentication →