Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in.

In GitHub's case, this additional information is an authentication code that's generated by an application on your smartphone or sent as a text message (SMS). After 2FA is enabled, GitHub generates an authentication code any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. You can use 2FA to access GitHub via:

  • The GitHub website
  • The GitHub API
  • GitHub Desktop

For more information, see "Providing your 2FA authentication code."

Organization owners can require that organization members, outside collaborators, and billing managers use two-factor authentication to secure their personal accounts. For more information, see "Requiring two-factor authentication in your organization."

Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your phone, don't have access to your recovery codes, or don't have an account recovery token stored. For more information, see "Adding a fallback authentication method with Recover Accounts Elsewhere."