Two-factor authentication, or 2FA, is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to.

For GitHub Enterprise, the second form of authentication is a code that's generated by an application on your mobile device. After you enable 2FA, GitHub Enterprise generates an authentication code any time someone attempts to sign into your GitHub Enterprise account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.

After you configure 2FA using a mobile app, you can add a FIDO U2F security key, and configure additional recovery methods in case you lose access to your two-factor authentication credentials. For more information on setting up 2FA, see "Configuring two-factor authentication" and "Configuring two-factor authentication recovery methods."

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub Enterprise, but on other websites and apps that support it. You can use 2FA to access GitHub Enterprise via:

  • The GitHub Enterprise website
  • The GitHub Enterprise API
  • GitHub Desktop

For more information, see "Accessing GitHub using two-factor authentication."

Two-factor authentication recovery codes

When you configure two-factor authentication, you'll download and save your 2FA recovery codes. If you lose access to your phone, you can authenticate to GitHub Enterprise using your recovery codes. For more information, see "Recovering your account if you lose your 2FA credentials."

Requiring two-factor authentication in your organization

Organization owners can require that organization members and outside collaborators use two-factor authentication to secure their personal accounts. For more information, see "Requiring two-factor authentication in your organization."

Authentication methods that support 2FA

Authentication Method Description Two-factor authentication support
Built-in Authentication is performed against user accounts that are stored on the GitHub Enterprise appliance. Supported and managed on the GitHub Enterprise appliance. Organization administrators can require 2FA to be enabled for members of the organization.
Built-in authentication with an identity provider Authentication is performed against user accounts that are stored on the identity provider. Dependant on the identity provider.
LDAP Allows integration with your company directory service for authentication. Supported and managed on the GitHub Enterprise appliance. Organization administrators can require 2FA to be enabled for members of the organization.
SAML Authentication is performed on an external identity provider. Not supported or managed on the GitHub Enterprise appliance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available.
CAS Single sign-on service is provided by an external server. Not supported or managed on the GitHub Enterprise appliance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available.