GitHub mandated two-factor authentication for all active contributors in 2023, and for good reason. Your GitHub account controls access to code repositories, deployment pipelines, CI/CD secrets, and potentially production systems. Compromised developer accounts are one of the primary vectors for software supply chain attacks โ attackers gain access to a trusted account and inject malicious code into packages used by thousands of other projects.
In This Guide
Setting up 2FA on GitHub takes less than two minutes and dramatically reduces the risk of account takeover. Here is everything you need to know.
How to Set Up 2FA on GitHub (Step by Step)
- Sign in to github.com and click your profile photo in the top right, then click Settings.
- In the left sidebar, click Password and authentication.
- Under "Two-factor authentication", click Enable two-factor authentication.
- GitHub displays a QR code. Open your authenticator app (Google Authenticator, Authy, 1Password, etc.), tap Add Account, and scan the QR code. If you cannot scan it, click enter this text code to get a plain-text secret key you can type manually.
- Enter the 6-digit TOTP code shown in your authenticator app to confirm the setup.
- GitHub will display 16 recovery codes. Download or print them immediately and store them somewhere safe โ a password manager is ideal. These are your only way back in if you lose your authenticator device.
GitHub's 2FA Methods โ Which Should You Use?
GitHub supports four different second factors. Each has different trade-offs between security, convenience, and recovery options.
Authenticator App (TOTP) โ Recommended for Most Developers
Any TOTP-compatible app works: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and many others. When you sign in, GitHub asks for the 6-digit code currently shown in your app. Codes refresh every 30 seconds. This method works offline and is not vulnerable to SIM swapping. It is the best default choice for most developers.
Hardware Security Keys โ Best for High-Value Accounts
Physical keys like YubiKey connect via USB or NFC. Instead of typing a code, you simply tap the key when prompted. Hardware keys implement the WebAuthn/FIDO2 standard, which is phishing-resistant โ the key cryptographically verifies the exact domain, so it will not authenticate on a fake login page. If your account has access to critical repositories or has admin rights over an organisation, a hardware key is the best option.
GitHub Mobile โ Convenient Push Approvals
If you have the GitHub mobile app installed and signed in, GitHub can send a push notification to your phone asking you to approve the login. You review the request and tap Approve. This is convenient but requires internet connectivity on both your phone and your computer at the time of sign-in.
Passkeys โ The Best Long-Term Option
Passkeys use your device's biometrics (Face ID, fingerprint, Windows Hello) to authenticate. They are phishing-resistant like hardware keys but more convenient since they are built into your device. GitHub is actively rolling out passkey support. If your device supports it, consider adding a passkey as your primary 2FA method and keeping an authenticator app as a fallback.
SMS Codes โ Avoid If Possible
GitHub supports SMS as a fallback 2FA method, but it is the least secure option due to SIM-swap attacks. Use an authenticator app or hardware key instead, and only fall back to SMS if no other option is available.
What Happens After You Enable 2FA on GitHub
Once 2FA is active, every sign-in from a new browser or device requires both your password and your second factor. Existing sessions on trusted devices are not immediately logged out. You can manage your trusted devices in Settings โ Password and authentication.
GitHub also requires 2FA to perform sensitive actions like adding SSH keys, creating personal access tokens, and changing your email address โ even from a device you are already signed in to.
GitHub 2FA and the Command Line
2FA does not affect Git operations over SSH or HTTPS once you have set up proper credentials. For HTTPS, use a personal access token (PAT) or GitHub CLI token as your password โ not your account password. For SSH, use an SSH key pair. Neither method is affected by account-level 2FA.
Lost Access to Your GitHub 2FA?
If you cannot access your 2FA device, you have a few recovery paths. First, try your saved recovery codes โ each code works once. If you have GitHub Mobile set up, you can use it as an alternative 2FA method. If you have a hardware key registered, use that. If none of these are available, GitHub's account recovery process requires you to verify your identity through email confirmation and a waiting period. In some cases, particularly if you no longer have access to the email address associated with the account, recovery may not be possible โ which is why saving recovery codes is essential.