Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in.

In GitHub's case, this additional information is an authentication code delivered to your cell phone, either generated by an application on your smartphone, or sent as a text message (SMS). After 2FA is enabled, GitHub generates an authentication code that is sent to your phone any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.

Tip: GitHub Enterprise cannot send authentication codes as SMS messages—it only supports TOTP smartphone clients, such as Google Authenticator.

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. You can use 2FA to access GitHub via:

  • The GitHub website
  • The GitHub API
  • GitHub for Windows
  • GitHub for Mac

Warning: For security reasons, GitHub Support cannot restore access to accounts with two-factor authentication enabled if you lose your phone and don't have access to your recovery codes.

Configuring authentication via a TOTP mobile app

A Time-based One-Time Password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We strongly recommend using a TOTP application to configure 2FA. TOTP applications are more reliable than SMS, especially for locations outside the US.

Tip: To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled and you want to add another device, you must re-configure 2FA from Account Settings.

  1. Download one of these apps.
  2. In your user bar, click Account settings. User bar with account settings selected
  3. In the left sidebar, click Account Settings. Account settings sidebar
  4. Under Two-Factor Authentication, click Set up two-factor authentication. 2FA dialog box
  5. On the Two-Factor Authentication page, click Set up using an app.
  6. On the "Add GitHub to your two-factor authentication app" page, do one of the following:
    • Scan the QR code
    • Manually type the security code into your TOTP application. If you're using Microsoft Authenticator on a Windows phone, you'll need to use this method. QR code page
  7. The TOTP mobile application will save your GitHub account and generate a new authentication code every few seconds. In GitHub, on the 2FA page, type the code and click Enable. !TOTP Enable field

Configuring authentication via text message

Before using this method, be sure that you can receive text messages. Carrier rates may apply. If you are outside the US, we strongly recommend using a TOTP application for two-factor authentication instead of SMS.

For non-US phone numbers, note the following:

  • Indian phone numbers on the National Do Not Disturb (DND) registry cannot receive SMS messages. For information on enabling SMS for certain categories of calls, see Allow Calls by Category on the NDNC India website.
  • Indian phone numbers cannot receive SMS messages between 9PM and 9AM.
  • GitHub doesn't support sending SMS messages to every country. In those cases, you must use a TOTP mobile application for two-factor authentication.
  1. In your user bar, click Account settings. User bar with account settings selected
  2. In the settings sidebar, click Account Settings. Account settings sidebar
  3. Under Two-Factor Authentication, click Set up two-factor authentication. 2FA dialog box
  4. On the Two-Factor Authentication page, click Set up using SMS.
  5. Select your country code and type your mobile phone number, including area code. When your information is correct, click Send code. 2FA SMS screen
  6. You'll receive a text message with a security code. Type the code on the 2FA page, and click Enable. 2FA SMS enable field

Fallback SMS number

You can provide a second number for a fallback device. If you lose access to both your primary device and your recovery codes, a backup SMS number can get you back in to your account.

Saving your recovery codes

After successfully setting up 2FA, you'll be provided a set of randomly generated recovery codes that you can view and save.

Your 2FA recovery code section

Treat these recovery codes with the same level of attention as you would your password! They should not be shared or distributed. If you're locked out of your account and don't have access to your primary device, you can use a recovery code to access your account. For more information, see Recovering your account if you lose your two-factor authentication credentials.

Tip: After 2FA has been enabled and you've saved your recovery codes, we recommend you log out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Changing authentication delivery methods

You can always switch between receiving authentication codes through a text message or a mobile application.

  1. In the user bar in the top-right corner of any page, click Account Settings.
  2. In the Two-factor authentication section, click Edit.
  3. In the Delivery Options section, click Switch. Switching your 2FA delivery options

Disabling and Re-enabling 2FA

If you disable and re-enable 2FA, you will need to generate new recovery codes. Your old codes will no longer work.