About two-factor authentication
Two-factor authentication, or 2FA, is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to.
In this article
For GitHub, the second form of authentication is a code that's generated by an application on your mobile device or sent as a text message (SMS). After you enable 2FA, GitHub generates an authentication code any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.
After you configure 2FA using a mobile app or via text message, you can add a security key, like a fingerprint reader or Windows Hello. The technology that enables authentication with a security key is called WebAuthn. WebAuthn is the successor to U2F and works in all modern browsers. For more information, see "WebAuthn" and "Can I Use."
You can also configure additional recovery methods in case you lose access to your two-factor authentication credentials. For more information on setting up 2FA, see "Configuring two-factor authentication" and "Configuring two-factor authentication recovery methods."
We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites and apps that support it. You can use 2FA to access GitHub via:
- The GitHub website
- The GitHub API
- GitHub Desktop
For more information, see "Accessing GitHub using two-factor authentication."
Two-factor authentication recovery codes
When you configure two-factor authentication, you'll download and save your 2FA recovery codes. If you lose access to your phone, you can authenticate to GitHub using your recovery codes. For more information, see "Recovering your account if you lose your 2FA credentials."
Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods. For more information, see "Recovering your account if you lose your 2FA credentials."
Requiring two-factor authentication in your organization
Organization owners can require that organization members, billing managers, and outside collaborators use two-factor authentication to secure their personal accounts. For more information, see "Requiring two-factor authentication in your organization."