Two-factor authentication

Enabling two-factor authentication (also referred to as 2FA or MFA) on your GitHub account is mandatory for all Googlers who work on open source code for Google. We highly recommend it for personal use as well.

Setting up 2FA with GitHub

You can use your standard-issue security key, for your second factor, as well as TOTP with Google Authenticator, or your own WebAuthn security key. To set up 2FA, navigate to the security section of your settings page, and go through the setup flow. Once you have enabled 2FA on your account, you will be prompted to provide the second factor when logging in to GitHub. Read more about the various options in GitHub’s documentation.

WARNING: Whatever you use for two-factor, make sure to generate and save the recovery codes for your account! We do not have the ability to recover your GitHub account if you get locked out. Read more about best practices.

Command line authentication

Once you have enabled 2FA on your account, you will need to update how you authenticate on the command line; your password will no longer work.

We recommend Adding an SSH key to your account for authenticating on the command line.

Best practices for recovery

When you enable 2FA on your account, you will be prompted to download recovery codes. Store these codes in a safe location, like a password manager or even a safety deposit box. If you choose to use the authentication app approach, you can save the seed by selecting the option to enter a text code instead:

Enter text code

Then, use this text code to set up the authentication app (such as Google Authenticator on a mobile phone) using the "enter a provided key" option:

Authenticator setup

Storing that seed in a safe location lets you reconfigure the app in the event that you change phones, reinstall the OS, or have multiple devices that you want to configure.

You can also configure additional recovery methods, as documented by GitHub.

IMPORTANT: Before switching phones, make sure that your recovery codes are up-to-date so you do not lose access to your account. Your recovery options are limited if you lose your second factor.