Organization owners can require organization members and outside collaborators to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organization's repositories and settings.

Authentication methods that support 2FA

Authentication Method Description Two-factor authentication support
Built-in Authentication is performed against user accounts that are stored on the GitHub Enterprise appliance. Supported and managed on the GitHub Enterprise appliance. Organization administrators can require 2FA to be enabled for members of the organization.
LDAP Allows integration with your company directory service for authentication. Supported and managed on the GitHub Enterprise appliance. Organization administrators can require 2FA to be enabled for members of the organization.
SAML Authentication is performed on an external identity provider. Not supported or managed on the GitHub Enterprise appliance, but may be supported by the external identity provider. 2FA enforcement on organizations is not available.
CAS Single sign-on service is provided by an external server. Not supported or managed on the GitHub Enterprise appliance, but may be supported on the external authentication server. 2FA enforcement on organizations is not available.

Requirements for enforcing two-factor authentication

Before you can require organization members and outside collaborators to use 2FA, you must enable two-factor authentication for your own personal account.

Warnings:

  • When you require use of two-factor authentication for your organization, members and outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable two-factor authentication for their personal account within three months of their removal from your organization.
  • If an organization owner, member, or outside collaborator disables 2FA for their personal account after you've enabled required two-factor authentication, they will automatically be removed from the organization.
  • If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.

Before you require use of two-factor authentication, we recommend notifying organization members and outside collaborators and asking them to set up 2FA for their accounts. You can see if members and outside collaborators already use 2FA on your organization's People page.

  1. In the top right corner of GitHub Enterprise, click your profile photo, then click Your profile. Profile photo

  2. On the left side of your profile page, under "Organizations", click the icon for your organization. organization icons

  3. Under your organization name, click Settings. Organization settings button

  4. In the organization settings sidebar, click Security. Security settings

  5. Under "Authentication", select Require two-factor authentication for all members, then click Save. Require 2FA checkbox

  6. If prompted, read the information about members and outside collaborators who will be removed from the organization. Type your organization's name to confirm the change, then click Remove members & require two-factor authentication. Confirm two-factor enforcement box

Viewing people who were removed from your organization

To view people who were automatically removed from your organization for non-compliance when you required two-factor authentication, you can search your organization's audit log for people removed from your organization. The audit log event will show if a person was removed for 2FA non-compliance.

Audit log event showing a user removed for 2FA non-compliance

  1. In the top right corner of GitHub Enterprise, click your profile photo, then click Your profile. Profile photo

  2. On the left side of your profile page, under "Organizations", click the icon for your organization. organization icons

  3. In the Settings sidebar, click Audit log. Org audit log settings in sidebar

  4. Enter your search query. To search for:

    • Organization members removed, use action:org.remove_member in your search query
    • Outside collaborators removed, use action:org.remove_outside_collaborator in your search query

    You can also view people who were removed from your organization by using a time frame in your search.

Helping removed members and outside collaborators rejoin your organization

If any members or outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.

Further reading