Skip to main content

Requiring two-factor authentication in your organization

Organization owners can require organization members, outside collaborators, and billing managers to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organization's repositories and settings.

Who can use this feature?

Requiring two-factor authentication is available to organizations on a GitHub Free or GitHub Team plan, as well as organizations on GitHub Enterprise Cloud or GitHub Enterprise Server. With GitHub Enterprise Cloud, this feature is unavailable for organizations in an enterprise with managed users.

Note

As of March 2023, GitHub required all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA). If you were in an eligible group, you would have received a notification email when that group was selected for enrollment, marking the beginning of a 45-day 2FA enrollment period, and you would have seen banners asking you to enroll in 2FA on GitHub.com. If you didn't receive a notification, then you were not part of a group required to enable 2FA, though we strongly recommend it.

For more information about the 2FA enrollment rollout, see this blog post.

About two-factor authentication for organizations

Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. You can require all members, outside collaborators, and billing managers in your organization to enable two-factor authentication on GitHub Enterprise Cloud. For more information about two-factor authentication, see Securing your account with two-factor authentication (2FA).

You can also require two-factor authentication for organizations in an enterprise. For more information, see Enforcing policies for security settings in your enterprise.

Note

Some of the users in your organization may have been selected for mandatory two-factor authentication enrollment by GitHub, but it has no impact on how you enable the 2FA requirement for your organization. If you enable the 2FA requirement in your organization, all users without 2FA currently enabled will be removed from your organization, including those that are required to enable it by GitHub.

Warning

  • When you require use of two-factor authentication for your organization, members and billing managers who do not use 2FA will not be able to access your organization's resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your organization.
  • When you require use of two-factor authentication for your organization, outside collaborators who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable 2FA for their personal account within three months of their removal from your organization. For more information, see Reinstating a former member of your organization.
  • You will also need to enable two-factor authentication for unattended or shared access accounts that are outside collaborators, such as bots and service accounts. If you do not configure 2FA for these unattended outside collaborator accounts after you've enabled required 2FA, the accounts will be removed from the organization and lose access to their repositories. For more information, see Managing bots and service accounts with two-factor authentication.
  • If an outside collaborator disables two-factor authentication for their personal account after you've enabled required 2FA, they will automatically be removed from the organization.
  • If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required 2FA for the organization.

Prerequisites

Before you can require organization members, outside collaborators, and billing managers to use two-factor authentication, you must enable 2FA for your account on GitHub Enterprise Cloud. For more information, see Securing your account with two-factor authentication (2FA).

Before you require use of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up 2FA for their accounts. You can see if members and outside collaborators already use 2FA. For more information, see Viewing whether users in your organization have 2FA enabled.

Requiring two-factor authentication in your organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click Settings.

  3. In the "Security" section of the sidebar, click Authentication security.

  4. Under "Two-factor authentication", select Require two-factor authentication for everyone in your organization, then click Save.

  5. If prompted, read the information about members and outside collaborators who will be removed from the organization.

  6. To confirm the change, click Confirm.

  7. If any outside collaborators are removed from the organization, we recommend sending them an invitation that can reinstate their former privileges and access to your organization. They must enable two-factor authentication before they can accept your invitation.

Requiring secure methods of two-factor authentication in your organization

Alongside requiring two-factor authentication, you can require that organization members, billing managers, and outside collaborators use secure methods of 2FA. Secure two-factor methods are passkeys, security keys, authenticator apps, and the GitHub mobile app. Users who do not have a secure method of 2FA configured, or who have any insecure method configured, will be prevented from accessing organization resources.

Before you require secure methods of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up secure 2FA for their accounts. You can see if members and outside collaborators already use secure methods of 2FA on each organization's People page. For more information, see Viewing whether users in your organization have 2FA enabled.

  1. Under "Two-factor authentication", select Require two-factor authentication for everyone in your organization and Only allow secure two-factor methods, then click Save.
  2. If prompted, read the information about how user access to organization resources will be affected by requiring secure 2FA methods. To confirm the change, click Confirm.
  3. Optionally, if any outside collaborators are removed from your organization, we recommend sending them an invitation to reinstate their former privileges and access. Each person must enable 2FA with a secure method before they can accept your invitation.

Viewing people who were removed from your organization

To view people who were automatically removed from your organization for non-compliance when you required two-factor authentication, you can search your organization's audit log for people removed from your organization. The audit log event will show if a person was removed for 2FA non-compliance. For more information, see Reviewing the audit log for your organization.

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
  2. Next to the organization, click Settings.
  3. In the "Archive" section of the sidebar, click Logs, then click Audit log.
  4. Enter your search query. To search for outside collaborators removed, use action:org.remove_outside_collaborator in your search query

You can also view people who were removed from your organization by using a time frame in your search.

Helping removed outside collaborators rejoin your organization

If any outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.

Further reading