GitHub has announced that beginning on November 13th, 2020, they will require that developers using the GitHub REST APITrack this API use token-based authentication. This will now be required for all authenticated operations in replacement of the previously allowed account password access.
GitHub explained the reasoning behind this decision, with a balanced perspective based on security advancements made over time and a longing to do right by legacy users.
“In recent years, GitHub customers have benefited from a number of security enhancements to GitHub.com such as two-factor authentication, sign-in alerts, verified devices, preventing the use of compromised passwords, and WebAuthn support. These features make it more difficult for an attacker to take a password that’s been reused across multiple websites and use it to try to gain access to your GitHub account. Despite these improvements, for historical reasons customers without two-factor authentication enabled have been able to continue to authenticate Git and API operations using only their GitHub username and password.”
GitHub further outlined that they see value in authentication tokens because they are unique, revocable, limited, and random. Each of these attributes allows GitHub to ensure that the platform is a safe place for developers to operate.