Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in.

In GitHub's case, this additional information is a code delivered to your cell phone, either as a text message (SMS) or generated by an application on your smartphone. After 2FA is enabled, GitHub generates a security code that is sent to your phone any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the security code on your phone.

Tip: GitHub Enterprise cannot send security codes as SMS messages—it only supports TOTP smartphone clients, such as Google Authenticator.

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. You can use 2FA to access GitHub via:

  • The GitHub website
  • The GitHub API
  • GitHub for Windows
  • GitHub for Mac

Warning: For security reasons, GitHub Support cannot restore access to accounts with two-factor authentication enabled if you lose your phone or access to your backup codes.

Configuring authentication via text message

Before using this method, be sure that you can receive text messages. Carrier rates may apply.

For non-US phone numbers, note the following:

  • Indian phone numbers on the National Do Not Disturb (DND) registry cannot receive SMS messages. For information on enabling SMS for certain categories of calls, see Allow Calls by Category on the NDNC India website.
  • Indian phone numbers cannot receive SMS messages between 9PM and 9AM.
  • GitHub doesn't support sending SMS messages to every country. In those cases, you must use a TOTP mobile application for two-factor authentication.
  1. In your user bar, click Account settings. User bar with account settings selected
  2. In the settings sidebar, click Account Settings. Account settings sidebar
  3. Under Two-Factor Authentication, click Set up two-factor authentication. 2FA dialog box
  4. On the Two-Factor Authentication page, click Set up using SMS.
  5. Select your country code and type your mobile phone number, including area code. When your information is correct, click Send code. 2FA SMS screen
  6. You'll receive a text message with a security code. Type the code on the 2FA page, and click Enable. 2FA SMS enable field

Fallback SMS number

You can provide a second number for a fallback device. If you lose access to both your primary device and your recovery keys, a backup SMS number can get you back in to your account.

Configuring authentication via a TOTP mobile app

You can use a Time-based One-Time Password (TOTP) application to automatically generate a security code that changes after a certain period of time.

Tip: To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled and you want to add another device, you must re-configure 2FA from Account Settings.

  1. Download one of these apps.
  2. In your user bar, click Account settings. User bar with account settings selected
  3. In the left sidebar, click Account Settings. Account settings sidebar
  4. Under Two-Factor Authentication, click Set up two-factor authentication. 2FA dialog box
  5. On the Two-Factor Authentication page, click Set up using an app.
  6. On the "Add GitHub to your two-factor authentication app" page, do one of the following:
    • Scan the QR code
    • Manually type the security code into your TOTP application. QR code page
  7. The TOTP mobile application will save your GitHub account and generate a new security code every few seconds. In GitHub, on the 2FA page, type the code and click Enable. !TOTP Enable field

Saving your recovery codes

After successfully setting up 2FA, you'll be provided a set of randomly generated recovery codes that you can view and save.

Your 2FA recovery code section

Treat these recovery codes with the same level of attention as you would your password! They should not be shared or distributed. If you're locked out of your account and don't have access to your primary device, you can use a recovery code to access your account. For more information, see Recovering your account if you lose your two-factor authentication credentials.

Tip: After 2FA has been enabled and you've saved your recovery codes, we recommend you log out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.

Changing authentication delivery methods

You can always switch between receiving security codes through a text message or a mobile application.

  1. In the user bar in the top-right corner of any page, click Account Settings.
  2. Click Edit in the Two-factor authentication section
  3. Click Switch in the delivery options section Switching your 2FA delivery options