You can set up a variety of recovery methods to access your account if you lose your two-factor authentication credentials.

In addition to securely storing your two-factor authentication recovery codes, we strongly recommend configuring one or more additional recovery methods.

In this guide

Downloading your two-factor authentication recovery codes

When you configure two-factor authentication, you'll download and save your 2FA recovery codes. If you lose access to your phone, you can authenticate to GitHub using your recovery codes. You can also download your recovery codes at any point after enabling two-factor authentication.

To keep your account secure, don't share or distribute your recovery codes. We recommend saving them with a secure password manager, such as:

If you generate new recovery codes or disable and re-enable 2FA, the recovery codes in your security settings automatically update.

  1. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  2. In the user settings sidebar, click Security. Security settings sidebar

  3. Next to "Recovery codes," click Show. Show recovery codes button

  4. Save your recovery codes in a safe place. Your recovery codes can help you get back into your account if you lose access.

    • To save your recovery codes on your device, click Download.
    • To save a hard copy of your recovery codes, click Print.
    • To copy your recovery codes for storage in a password manager, click Copy. List of recovery codes with option to download, print, or copy the codes

Generating a new set of recovery codes

Once you use a recovery code to regain access to your account, it cannot be reused. If you've used all 16 recovery codes, you can generate another list of codes. Generating a new set of recovery codes will invalidate any codes you previously generated.

  1. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  2. In the user settings sidebar, click Security. Security settings sidebar

  3. Next to "Recovery codes," click Show. Show recovery codes button

  4. To create another batch of recovery codes, click Generate new recovery codes. Generate new recovery codes button

Configuring FIDO U2F as a fallback method

You can set up FIDO U2F as a secondary two-factor authentication method, and use your U2F keys to regain access to your account. For more information, see "Configuring two-factor authentication."

Setting a fallback authentication number

You can provide a second number for a fallback device. If you lose access to both your primary device and your recovery codes, a backup SMS number can get you back in to your account.

You can use a fallback number regardless of whether you've configured authentication via text message or TOTP mobile application.

Warning: Using a fallback number is a last resort. We recommend configuring additional recovery methods if you set a fallback authentication number.

  1. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  2. In the user settings sidebar, click Security. Security settings sidebar

  3. Next to "Fallback SMS number", click Add. Add fallback SMS number button

  4. Under "Fallback SMS number", click Add fallback SMS number. Add fallback SMS number text

  5. Select your country code and type your mobile phone number, including the area code. When your information is correct, click Set fallback. Set fallback SMS number

After setup, the backup device will receive a confirmation SMS.

Adding a fallback authentication method with Recover Accounts Elsewhere

You can generate an extra authentication credential for your account and store it with a partner recovery provider.

About Recover Accounts Elsewhere

With Recover Accounts Elsewhere, you can add an extra security factor to your GitHub account in case you lose access to your two-factor authentication method or recovery codes.

Recover Accounts Elsewhere lets you associate your GitHub account with your Facebook account. You can store an authentication credential in the form of an account recovery token for your GitHub account with Facebook.

If you lose access to your GitHub account because you no longer have access to your two-factor authentication method or recovery codes, you can retrieve your account recovery token from the recovery provider to help prove that you're the owner of your GitHub account.

After you retrieve your token, GitHub Support or GitHub Premium Support may be able to disable two-factor authentication for your account. Then, you can provide or reset your password to regain access to your account.

Your account recovery token is valid for a year or until you use it. If you retrieve your token or your token expires, you should generate and store a new token.

When you generate or retrieve an account recovery token, an event is added to your account's audit log. For more information, see "Reviewing your security log."

Generating and storing an account recovery token

You can generate an account recovery token and store it with a partner recovery provider.

  1. Sign in to your Facebook account, then return to GitHub.
  2. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  3. In the user settings sidebar, click Security. Security settings sidebar

  4. To generate a new token, under "Recovery tokens," click Store new token. Button for storing a new recovery token

  5. Read the information about account recovery tokens, then click Connect with https://www.facebook.com. Button for connecting a recovery token with Facebook
  6. After you're redirected to Facebook, read the information about turning on account recovery with Facebook before you click Save as [YOUR NAME]. (If you save multiple tokens within a short period of time, Facebook may skip this confirmation step after you save your first token.) Facebook page with button for turning on account recovery

Further reading