Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in.

In GitHub's case, this additional information is an authentication code delivered to your cell phone that's generated by an application on your smartphone or sent as a text message (SMS). After 2FA is enabled, GitHub generates an authentication code that is sent to your phone any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. You can use 2FA to access GitHub via:

  • The GitHub website
  • The GitHub API
  • GitHub Desktop

Warning: For security reasons, GitHub Support cannot restore access to accounts with two-factor authentication enabled if you lose your phone and don't have access to your recovery codes.

Configuring two-factor authentication via a TOTP mobile app

A Time-based One-Time Password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We strongly recommend using a TOTP application to configure 2FA. TOTP applications are more reliable than SMS, especially for locations outside the US.

Configuring two-factor authentication via text message

If you're unable to authenticate using a TOTP mobile app, you can authenticate using SMS messages. You can also provide a second number for a fallback device. If you lose access to both your primary device and your recovery codes, a backup SMS number can get you back in to your account.

Configuring two-factor authentication via FIDO U2F

After you configure 2FA via a TOTP mobile app or via SMS, you can add a security key that supports the FIDO U2F standard to use for two-factor authentication on GitHub.

Note: FIDO U2F authentication is currently only available for the Chrome browser.

Downloading your two-factor authentication recovery codes

After successfully setting up two-factor authentication via a TOTP mobile application or text message, the Two-factor recovery codes page lists your valid recovery codes. We strongly recommend saving your recovery codes immediately. If you don't, though, you can download them at any point after enabling two-factor authentication.

Providing your two-factor authentication code

With 2FA enabled, you'll be asked to provide your 2FA authentication code, as well as your password, when you access GitHub.

Setting a fallback authentication number

You can provide a second number for a fallback device. If you lose access to both your primary device and your recovery codes, a backup SMS number can get you back in to your account.

Changing authentication delivery methods

You can always switch between receiving authentication codes through a text message or a mobile application.

Recovering your account if you lost your 2FA credentials

If you've lost access to your account after enabling two-factor authentication, GitHub can't help you gain access again. Having access to your recovery codes in a secure place, or establishing a secondary mobile phone number for recovery, will get you back into your account.

Countries where SMS authentication is supported

Because of delivery success rates, GitHub only supports two-factor authentication via SMS for certain countries.