You can configure two-factor authentication using a mobile app or via text message. You can also add a security key using FIDO U2F.

We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA. TOTP applications are more reliable than SMS, especially for locations outside the United States. TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.

In this guide

Warning:

  • If you're a member, billing manager, or outside collaborator to a private repository of an organization that requires two-factor authentication, you must leave the organization before you can disable 2FA on GitHub.
  • If you disable 2FA, you will automatically lose access to the organization and any private forks you have of the organization's private repositories. To regain access to the organization and your forks, re-enable two-factor authentication and contact an organization owner.

Configuring two-factor authentication using a TOTP mobile app

A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using cloud-based TOTP apps such as:

Tip: To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled and you want to add another device, you must re-configure 2FA from your security settings.

  1. Download a TOTP app.
  2. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  3. In the user settings sidebar, click Security. Security settings sidebar

  4. Under "Two-factor authentication", click Enable two-factor authentication. Enable two-factor authentication option

  5. On the Two-factor authentication page, click Set up using an app.

  6. Save your recovery codes in a safe place. Your recovery codes can help you get back into your account if you lose access.
    • To save your recovery codes on your device, click Download.
    • To save a hard copy of your recovery codes, click Print.
    • To copy your recovery codes for storage in a password manager, click Copy. List of recovery codes with option to download, print, or copy the codes
  7. After saving your two-factor recovery codes, click Next.

  8. On the Two-factor authentication page, do one of the following:

    • Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on GitHub.
    • If you can't scan the QR code, click enter this text code to see a code you can copy and manually enter on GitHub instead. If you're using Microsoft Authenticator, you'll need to use this method. Click enter this code
  9. The TOTP mobile application saves your GitHub account and generates a new authentication code every few seconds. On GitHub, on the 2FA page, type the code and click Enable. TOTP Enable field
  10. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Configuring two-factor authentication using text messages

If you're unable to authenticate using a TOTP mobile app, you can authenticate using SMS messages. You can also provide a second number for a fallback device. If you lose access to both your primary device and your recovery codes, a backup SMS number can get you back in to your account.

Before using this method, be sure that you can receive text messages. Carrier rates may apply.

Warning: We strongly recommend using a TOTP application for two-factor authentication instead of SMS. GitHub doesn't support sending SMS messages to phones in every country. Before configuring authentication via text message, review the list of countries where GitHub supports authentication via SMS. For more information, see "Countries where SMS authentication is supported".

  1. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  2. In the user settings sidebar, click Security. Security settings sidebar

  3. Under "Two-factor authentication", click Enable two-factor authentication. Enable two-factor authentication option

  4. On the Two-factor authentication page, click Set up using SMS.
  5. Save your recovery codes in a safe place. Your recovery codes can help you get back into your account if you lose access.
    • To save your recovery codes on your device, click Download.
    • To save a hard copy of your recovery codes, click Print.
    • To copy your recovery codes for storage in a password manager, click Copy. List of recovery codes with option to download, print, or copy the codes
  6. After saving your two-factor recovery codes, click Next.

  7. Select your country code and type your mobile phone number, including the area code. When your information is correct, click Send authentication code. 2FA SMS screen

  8. You'll receive a text message with a security code. Type the code on the Two-factor authentication page, and click Enable. 2FA SMS continue field
  9. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Configuring two-factor authentication using FIDO U2F

After you configure 2FA via a TOTP mobile app or via SMS, you can add a security key that supports the FIDO U2F standard to use for two-factor authentication on GitHub.

Authentication with a security key is secondary to authentication with a TOTP application or a text message. If you lose your hardware key, you'll still be able to use your phone's code to sign in.

Tip: FIDO U2F authentication is currently only available for the Chrome browser.

  1. You must have already configured 2FA via a TOTP mobile app or via SMS.
  2. Download and install Google Authenticator.
  3. Ensure that you have a FIDO U2F compatible security key inserted into your computer.
  4. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  5. In the user settings sidebar, click Security. Security settings sidebar

  6. Next to "Security keys", click Add. Add security keys option

  7. Under "Security keys", click Register new device. Registering a new FIDO U2F device
  8. Type a nickname for the security key, then click Add. Providing a nickname for a FIDO U2F device
  9. When prompted, touch your security key to have it authenticate against GitHub. Prompt for a FIDO U2F device
  10. If you're authenticating to GitHub on an Android phone, you can use your FIDO U2F compatible security key and Google Authenticator to sign into your account with Near Field Communication (NFC).
  11. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. If you lose access to your account, you can use your recovery codes to get back into your account. For more information, see "Recovering your account if you lose your 2FA credentials." Download recovery codes button
  12. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Further reading