Article version: Enterprise Server 2.17
Configuring two-factor authentication
You can choose among multiple options to add a second source of authentication to your account.
You can configure two-factor authentication using a mobile app. You can also add a security key.
We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA. TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.
- If you're a member or outside collaborator to a private repository of an organization that requires two-factor authentication, you must leave the organization before you can disable 2FA on your GitHub Enterprise Server instance.
- If you disable 2FA, you will automatically lose access to the organization and any private forks you have of the organization's private repositories. To regain access to the organization and your forks, re-enable two-factor authentication and contact an organization owner.
A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using cloud-based TOTP apps such as:
Tip: To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled and you want to add another device, you must re-configure 2FA from your security settings.
- Download a TOTP app.
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the user settings sidebar, click Security.
- Under "Two-factor authentication", click Enable two-factor authentication.
- On the Two-factor authentication page, click Set up using an app.
- Save your recovery codes in a safe place. Your recovery codes can help you get back into your account if you lose access.
- To save your recovery codes on your device, click Download.
- To save a hard copy of your recovery codes, click Print.
- To copy your recovery codes for storage in a password manager, click Copy.
- After saving your two-factor recovery codes, click Next.
- On the Two-factor authentication page, do one of the following:
- Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on GitHub Enterprise.
- If you can't scan the QR code, click enter this text code to see a code you can copy and manually enter on GitHub Enterprise instead.
- The TOTP mobile application saves your GitHub Enterprise account and generates a new authentication code every few seconds. On GitHub Enterprise, on the 2FA page, type the code and click Enable.
- After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.
After you configure 2FA using a mobile app, you can add a security key, like a fingerprint reader or Windows Hello. FIDO U2F authentication is currently available for the Chrome, Firefox, and Opera browsers.
On most devices and browsers, you can use a physical security key over USB or NFC. Some browsers can use the fingerprint reader, facial recognition, or password/PIN on your device as a security key.
Authentication with a security key is secondary to authentication with a TOTP application. If you lose your security key, you'll still be able to use your phone's code to sign in.
You must have already configured 2FA via a TOTP mobile app.
Ensure that you have a FIDO U2F compatible security key inserted into your computer.
In the upper-right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click Security.
Next to "Security keys", click Add.
Under "Security keys", click Register new security key.
Type a nickname for the security key, then click Add.
Activate your security key, following your security key's documentation.
Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. If you lose access to your account, you can use your recovery codes to get back into your account. For more information, see "Recovering your account if you lose your 2FA credentials."
After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.