Two-Factor Authentication on GitHub Organizations

As indicated in go/github-org-owners#settings, we require that two-factor authentication (2FA) be mandatory for members and collaborators of an organization. While this is policy for all Googlers registered at go/github, enabling this setting on an organization may affect GitHub users who are not Google employees.

What turning on 2FA means for your organization

If you have members and/or collaborators who do not currently use 2FA on their GitHub account, requiring 2FA on your organization means that these users will lose:

  • Commit access to repositories
  • Forks of private repositories
  • Any administrative access they previously had

During the process of enabling 2FA for your organization, you will be shown the members and outside collaborators who will be affected by this change. You'll then be asked to confirm the change to your settings.

You can manually check if your organization has any users who do not have 2FA enabled by visiting the following links (and replacing %orgname% with your organization's name):

Once you have 2FA required for your org, users will not be able to accept invitations to become members or outside collaborators of the organization (or repositories on the organization) unless they enable 2FA on their GitHub accounts.

How we monitor

We pull information on each organization approximately once a week. You (the organization administrator) will receive an issuetracker issue if your org has this setting disabled. It will include steps to return your organization to a state of compliance with our policy.

NOTE: If your organization repeatedly falls out of compliance, we will work with you to establish better practices for administering your org.

Robot accounts

For information on how to enable 2FA on robot account, follow these instructions: go/github-docs/robots

Reinstating access

If a member or outside collaborator has their access removed when you turn on 2FA, GitHub provides a mechanism for restoring it easily. If the user enables 2FA within three months of being removed from the org, you can reinstate their same privileges and access within the organization. To do this, GitHub provides the following guides:


Once you've required 2FA on your organization, you can keep track of anyone removed using GitHub's audit log and querying for action:org.remove_member and action:org.remove_outside_collaborator.