tutorial

How to Enable 2FA on GitHub with an Authenticator

4 min read

GitHub now requires 2FA

As of 2024, GitHub requires all developers who contribute code to enable two-factor authentication. If you haven’t set it up yet, you’ve probably been seeing reminders. Even if you somehow haven’t, it’s worth doing. Your GitHub account likely has access to private repos, deployment pipelines, and credentials that you really don’t want exposed.

Setting up TOTP-based 2FA (the authenticator app kind) takes about two minutes. Here’s how.

If you want background on how authenticator codes work, see What is TOTP?.

What you’ll need

  • A GitHub account
  • An authenticator app (Google Authenticator, Authy, 1Password, Bitwarden, or any TOTP-compatible app)

Step-by-step setup

1. Open your settings

Click your profile photo in the top-right corner of any GitHub page, then click Settings.

2. Go to “Password and authentication”

In the left sidebar, under “Access,” click Password and authentication.

3. Click “Enable two-factor authentication”

You’ll see a section for two-factor authentication. Click the button to enable it. GitHub may ask you to confirm your password.

4. Choose “Set up using an app”

GitHub gives you the option to use an authenticator app or SMS. Pick the authenticator app. It’s more secure and doesn’t depend on cell service.

5. Scan the QR code

GitHub displays a QR code. Open your authenticator app, add a new account, and scan it.

If you can’t scan the code, click “setup key” to see the secret as plain text. You can type this into your authenticator app manually.

One thing to note: GitHub shows you the setup key in a specific format. Copy it exactly, including any spaces or grouping, depending on what your app expects. Most apps handle it fine either way.

6. Enter the verification code

Your authenticator app will show a 6-digit code. Type it into GitHub and click Continue.

7. Save your recovery codes

GitHub generates a set of recovery codes. This is the screen people rush past, but you shouldn’t.

Each recovery code is a one-time-use code that lets you log in if you lose access to your authenticator app. Download them, print them, or save them in your password manager. Don’t just leave them in your browser downloads folder.

GitHub will ask you to confirm that you’ve saved them before finishing the setup.

SSH keys and 2FA

One thing that catches people off guard: enabling 2FA changes how Git authentication works over HTTPS.

After you turn on 2FA, you can’t use your GitHub password for HTTPS Git operations anymore. You’ll need to use either:

  • A personal access token (PAT) in place of your password for HTTPS
  • SSH keys, which aren’t affected by 2FA at all

If you’re already using SSH for pushing and pulling, nothing changes. If you’re using HTTPS, you’ll need to create a personal access token (Settings > Developer settings > Personal access tokens) and use that as your password when Git asks for credentials.

Alternatively, the GitHub CLI (gh auth login) handles all of this for you and is probably the least painful option.

Passkeys as a second factor

GitHub also supports passkeys, which can serve as both your password and second factor. If you’re interested in that, you can set one up alongside your authenticator app from the same “Password and authentication” settings page.

Having both configured gives you flexibility. If your phone dies, you can use your passkey. If your passkey device isn’t available, you can use your authenticator app. Redundancy is your friend here.

Managing 2FA after setup

You can always go back to Settings > Password and authentication to:

  • View or regenerate your recovery codes (do this if you’ve used any)
  • Add additional authenticator apps or security keys
  • Configure fallback SMS (useful as a last resort)

If you’re part of an organization that enforces 2FA, losing access to your second factor can lock you out of your org’s repositories until you re-authenticate. Keep your recovery codes current.

Quick recap

  1. Settings > Password and authentication > Enable two-factor authentication
  2. Choose authenticator app, scan the QR code
  3. Enter the 6-digit code to verify
  4. Download and store your recovery codes
  5. If using HTTPS for Git, switch to a personal access token or SSH

It takes two minutes, and GitHub won’t let you put it off much longer anyway.

Want to see how TOTP codes work before setting things up? You can play with a generator at 2fa.zip — it’s browser-based and doesn’t send anything to a server.

Secure your accounts with two-factor authentication

Generate TOTP codes instantly, right in your browser.

Try our free 2FA Code Generator

Related Posts

Setting Up 2FA for Crypto Exchanges (Binance, Coinbase)

How to enable two-factor authentication on Binance and Coinbase to protect your cryptocurrency accounts from unauthorized access.

Read more

How to Set Up 2FA on Discord

Step-by-step guide to enabling two-factor authentication on your Discord account using an authenticator app.

Read more

How to Set Up 2FA on Your Google Account

Enable two-factor authentication on your Google account using an authenticator app for better security than SMS codes.

Read more