Does deprecation of basic password authentication affect GitHub deploy keys?

Question

I received an email from GitHub stating:

You recently used a password to access the repository at username/repo with git using git/2.24.3 (Apple Git-128). Basic authentication using a password to Git is deprecated and will soon no longer work. Visit https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information around suggested workarounds and removal dates.

So I'll need to use another method for standard command line for git commits pushed to GitHub, which shouldn't be a problem.

But I wonder does this affect deploy keys? For example, in automated processes that have been running for some months or years - should we prepare for changes?

I have checked the blog post, and note that there's still plenty of time (deprecation happens 13 August 2021), but it will be important to understand any affect on deploy keys in order to prepare.

Answer 1

No, deploy keys are unaffected. The only thing that's affected is using a password to authenticate to Git or Git LFS over HTTPS. If you use a personal access token or OAuth token over HTTPS or you use SSH at all (whether with a personal or deploy key), those are unaffected.

The reason for this change is because knowing an account's password allows you to log into that account, change the password, and configure virtually every setting. On the other hand, a token does not allow you to log in via the web interface and is typically restricted to a limited set of scopes, and it is pseudorandomly generated. Similarly, SSH keys are also restricted in their access and are not easily guessable.

As a result, the consequences of accidentally exposing your authentication credentials are lower and the set of credentials you replace it with is unlikely to be guessable from the old exposure.