Skip to main content

Requiring two-factor authentication for an organization

You can require organization members and outside collaborators to enable two-factor authentication for their personal accounts in an organization, making it harder for malicious actors to access an organization's repositories and settings.

When using LDAP or built-in authentication, two-factor authentication is supported on your GitHub Enterprise Server instance. Organization owners can require members to have two-factor authentication enabled.

When using SAML or CAS, two-factor authentication is not supported or managed on the GitHub Enterprise Server instance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available. For more information about enforcing two-factor authentication on organizations, see "Requiring two-factor authentication in your organization."

For more information, see "About two-factor authentication."

Requirements for enforcing two-factor authentication

Before you can require organization members and outside collaborators to use 2FA, you must enable two-factor authentication for your own personal account.

Before you require use of two-factor authentication, we recommend notifying organization members and outside collaborators and asking them to set up 2FA for their accounts. You can see if members and outside collaborators already use 2FA on an organization's People tab.

The verification of two-factor authentication codes requires an accurate time on both the client's device and server. Site administrators should ensure time synchronization is configured and accurate. For more information, see "Configuring time synchronization."

Warning

  • When you require two-factor authentication, members who do not use 2FA will not be able to access your enterprise resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your enterprise and organizations.
  • When your require two-factor authentication, outside collaborators (including bot accounts) who do not use 2FA will be removed from the enterprise and its organization and lose access to repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can reinstate their access privileges and settings.
  • When two-factor authentication is required, outside collaborators who disable 2FA will automatically be removed from the enterprise and its organizations. Members who disable 2FA will not be able to access your enterprise and organization resources until they re-enable it.
  • If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required 2FA for the organization.

Requiring two-factor authentication for an organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations**.
  2. Next to the organization, click Settings.
  3. In the "Security" section of the sidebar, click Authentication security.
  4. Under "Two-factor authentication", select Require two-factor authentication for everyone in your organization, then click Save.
  5. If prompted, read the information about members and outside collaborators who will be removed from the organization.
  6. In the text field, type your organization's name to confirm the change, then click Remove members & require two-factor authentication.

Viewing people who were removed from your organization

To view people who were automatically removed from your organization for non-compliance when you required two-factor authentication, you can search the audit log using reason:two_factor_requirement_non_compliance in the search field.

  1. In the upper-left corner of any page, click .

  2. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

  3. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

  4. In the "Archives" section of the sidebar, click Security log.

  5. Enter your search query using reason:two_factor_requirement_non_compliance. To narrow your search for:

    • Outside collaborators removed, enter action:org.remove_outside_collaborator AND reason:two_factor_requirement_non_compliance

    You can also view people removed from a particular organization by using the organization name in your search:

    • org:octo-org AND reason:two_factor_requirement_non_compliance
  6. Click Search.

Helping removed outside collaborators rejoin your organization

If any outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.

Further reading