GitHub has announced that in the future it will rely entirely on token-based authentication. Registration via name and password is no longer possible for the REST API from November. Probably from summer 2021, developers will need tokens for all GitHub actions that require authentication.
The reason for the measures is the increased protection against abuse. Among other things, there was a large-scale phishing campaign for GitHub users in April. Like GitLab and Atlassian, the company has been offering Personal Access Tokens (PATs) as a safer alternative for some time. Among other things, tokens have the advantage that they can be withdrawn at any time and tailored to specific uses.
Timetable with stops in November and mid-2021
There is currently no need for action as access by name and password is still possible until the end of the year, but an early changeover is advisable due to the reduced risk of unauthorized access to repository content.
On September 30th and October 28th, GitHub temporarily requests either personal access or OAuth tokens for all API operations for two three-hour periods to inform customers of the changeover and to move them more or less gently. As of November 13th, access to the REST API will only be possible via tokens. Access attempts via name and password are acknowledged by the interface with the HTTPS status code
GitHub does not provide a specific date for the change of access via tokens for all other authenticated Git operations, but instead the blog post for the announcement speaks from mid-2021. In addition to PATs, OAuth tokens or SSH keys are permitted for the Git operations.