Hello everyone!

Setting up two-factor authentication on GitHub with a YubiKey is one of the most reliable ways to keep your developer account safe. Not everyone knows how to ensure this security using modern methods. And to do so, all you need is to be the happy owner of a YubiKey hardware security key for two-factor authentication.
Many people are aware of the existence of two-factor authentication, but not everyone knows how far this authentication technology has advanced.

In this article, we’ll look at how to set up two-factor authentication on GitHub by connecting a YubiKey hardware security key to the popular web service for hosting IT projects, GitHub, as an example.
Following the steps in this article will help you quickly and easily set up your two-factor authentication on GitHub using a key.
We will also look at logging in with Passkeys (logging in without the need to enter a username and password) using a YubiKey.

Two-factor authentication on GitHub: adding a security key

Setting up two-factor authentication on GitHub

It’s important to mention: I’m using the Chrome browser to set up authentication.

Official documentation on setting up two-factor authentication on GitHub can be found on the official GitHub website. You can also learn more about the keys themselves on the Yubico website — the manufacturer of YubiKey.

So, we are on the GitHub home page. What’s next?
On the right, we can see our profile icon.

By clicking on it, we open a side context menu containing various functional menu items. We are interested in the “Settings” tab.
In the settings, we can edit our profile, change the theme, configure notifications, set a name, fill in information about ourselves, and much more. But we are interested in the “Password and authentication” section.

After clicking on “Password and authentication”, we land on the Account Security page. Here we can change the password, set up two-factor authentication on GitHub, and add a security key in the “Two-factor authentication” section. That’s exactly what we need.

Adding a key for two-factor authentication on GitHub

Since March 2023, GitHub requires adding a two-factor authentication method to your account. This means you must enable this feature for your account in any case. The most reliable way is to set up two-factor authentication on GitHub using a YubiKey.

The advantage of using a YubiKey for two-factor authentication is the additional security this authentication method provides. After all, a YubiKey is a physical device that is always with you, which makes your account more resistant to various types of online fraud. With a YubiKey, you no longer need inconvenient authentication apps.

However, in order to use the key, you first need to add any authentication method, either SMS or via an app. This is a mandatory requirement.
I added authentication via an app.

I’m downloading the Google Authenticator app and then scanning the QR code inside the app.

Next, we enter the 6-digit code, and that’s how our authentication is ready.

After that, we go to the “Two-factor authentication” section. We find the “Security Keys” row, click “Edit”, and then click “Register new security key”.

Next, we enter the name of our key. Let’s call it Primary key and click “Add”. (At this stage, don’t forget to insert the key into your PC).

Important note: If you’re using a laptop with a fingerprint sensor, the first thing offered when adding a key is to add the fingerprint as a Passkey. I do not recommend using this method, so we click Save another way and choose the authentication method — security key.

After this, the registration of our key on GitHub begins. Make sure the key is plugged into the USB port. Touch the key.

If you haven’t registered your key before, you’ll need to create a PIN code for your key and confirm it.
My key is already set up, so I just enter my PIN code for the key, click “Ok”, and then touch the key. (At this step, do not remove the key from the USB port).

Touch the key.

That’s it, the key has been added! Two-factor authentication on GitHub is now set up on your account. In the “Security Keys” section, we can see our newly added key.

Also, GitHub allows you to add a Passkey as an authentication option.
To the right, we have the option to upgrade our SecurityKey to a PassKey. PassKey allows you to log into your account using the key without additionally entering a username and password — the FIDO2 technology. Next, we’ll look at exactly how these two login options differ from each other. But for now, let’s check how the account login with the key works.

Testing the security key

I sign out of the account and land on the login page.
Next, to log into the account using our key, we need to enter the account username and password and click “Sign In”.

After this, a message will appear asking to confirm that it’s really you logging into the account. We insert the YubiKey into our PC and click “Use Security Key”.

Your OS will ask you to touch the key. Touch the key.

Awesome! We’ve linked our key, set up two-factor authentication on GitHub, and verified that everything works.

Logging in without a username and password using PassKey technology

GitHub supports Passkey technology, so let’s upgrade our SecurityKey to a Passkey.

Passkey is a new authentication technology that allows you to log into websites and applications without the need to enter your account username and password.

Adding a Passkey

Here we have two options, let’s look at them:

Option 1

Click “Upgrade primary key to passkey” and upgrade your SecurityKey to a PassKey.

If we click “Upgrade primary key to passkey”, we land on a new page.

Next, we follow the steps to upgrade our account.

Enter the PIN for the key.

Touch the key.

Give the key a name. In my case, this is “Primary key passkey”, and click “Done”.

All done! We have successfully upgraded our SecurityKey to a Passkey.

Option 2

Adding a Passkey from scratch.

We are interested in the “Passkeys” section, which we’ll find above the “Two-factor authentication” section.

Click “Add a passkey” and start the setup. (At this stage, don’t forget to insert the key into your PC).

We create (if not previously created) and enter the password for our key.

After this, you need to touch your key.

Next, you need to give the key a name and click the “Done” button.
That’s it, all done!

After successfully adding it, our key should appear in the settings.

You can also choose your preferred authentication method on GitHub in the “Two-factor authentication” section. Since we just added a Passkey, let’s select the “Passkeys” option.

Logging into the account via Passkey

Let’s try to log into the account without a username and password, using the YubiKey. To do this, when logging into the account, you need to click the “Continue with passkey” button.

Confirm the login. Touch the sensor on the key, just like before during setup.

After this, you need to enter the PIN code for the key.

After this, touch the key once again.

That’s it! We’ve logged into the account. It’s incredibly simple.
There’s no need to memorize a username and a complex password, or use inconvenient authentication apps.

Now you can log into your account using a modern authentication method thanks to the YubiKey. Two-factor authentication on GitHub via a hardware key is the most reliable way to protect a developer account.

Important note. If you use your key to log into your account, I recommend purchasing two YubiKey keys at once and setting them up sequentially. In case your primary key gets lost, you’ll be able to use the second, backup key to log into your account.

If you found this article on how to set up two-factor authentication on GitHub helpful, leave your comments and share your experience using security keys. See you next time!