As the next step in the journey towards a more secure GitHub experience, beginning November 13^th, GitHub and Visual Studio will no longer accept account passwords when authenticating with the REST API and will instead require using token-based authentication (e.g., personal access or OAuth), for all authenticated operations for GitHub.com.

As a result of the change, Git credential helpers such as the Git Credential Manager (GCM) that authenticate via account passwords won’t be able to create new access tokens or authenticate you for GitHub.com operations with your username and password.

What does that mean for you?

We’ll be releasing a new servicing update tomorrow (Tuesday November 10^th) for Visual Studio 2017 (version 15.9.0) and Visual Studio 2019 (versions 16.0, 16.4 & 16.7), where we’ll include support for the new Git Credential Manager Core (GCM Core), which supports OAuth token-based authentication. Updating to these Visual Studio versions will automatically transition you to the new GCM Core experience and ensure your experience is not impacted.

As part of this change, you’ll notice that GitHub.com operations that require credentials will now only allow you to authenticate via the OAuth based web browser authentication flow:

If you are using older versions of Visual Studio and cannot update to the latest Visual Studio 2019 offering, please refer to the additional workarounds on the GCM Core GitHub page.

Wrapping up

We encourage you to take advantage of some of the other security enhancements GitHub has enabled in recent years such as: two-factor authentication, sign-in alerts, verified devices, preventing the use of compromised passwords, and WebAuthn support. For more details see learn more about keeping your account secure, or contact GitHub Support.

If you have any issues with the Visual Studio experience, we ask you to send us feedback via the Developer Community portal, or via the Help > Send Feedback feature inside Visual Studio. We’d love to know how to further improve your experience!