GitHub is one of the world’s most popular platforms for software development, hosting millions of repositories used by individuals, businesses, and open-source communities. Because GitHub accounts often contain valuable source code, deployment keys, personal access tokens, and sensitive project information, securing your account is essential. One of the most effective ways to protect your account from unauthorized access is by enabling Two-Factor Authentication (2FA).
Two-Factor Authentication adds an extra layer of security by requiring a second verification method in addition to your password. Even if someone learns your GitHub password through a phishing attack or data breach, they won’t be able to access your account without the second authentication factor. GitHub supports several 2FA methods, including authenticator apps, security keys, passkeys, and SMS (where available), although authenticator apps and security keys are recommended for stronger protection.
This guide explains how to enable GitHub 2FA on Windows 11 and Windows 10 using the available authentication methods.
What Is GitHub Two-Factor Authentication?
Two-Factor Authentication (2FA) is a security feature that requires two forms of identity verification when signing in:
- Your GitHub password
- A second verification method
GitHub currently supports:
- Authenticator apps (recommended)
- Security keys (FIDO2/WebAuthn)
- Passkeys
- Recovery codes
- SMS authentication (only as an additional recovery method in supported regions)
Using 2FA significantly reduces the risk of unauthorized account access.
Before You Begin
Before enabling GitHub 2FA, make sure you:
- Know your GitHub account password.
- Have access to your registered email address.
- Install an authenticator app if you plan to use one.
- Keep a secure location to store recovery codes.
- Update your browser to the latest version.
These preparations make the setup process easier and help prevent account lockouts.
Method 1: Enable GitHub 2FA Using an Authenticator App (Recommended)
An authenticator app is the most commonly used and recommended method for GitHub 2FA.
Follow these steps:
- Sign in to your GitHub account.
- Click your profile picture in the upper-right corner.
- Select Settings.
- In the left pane, click Password and authentication.
- Under Two-factor authentication, click Enable two-factor authentication.
- Select Authenticator app.
- Open your authenticator app on your phone.
- Scan the QR code displayed by GitHub.
- Enter the six-digit verification code generated by the app.
- Click Continue.
- Download or save your recovery codes.
- Complete the setup.
From now on, GitHub will request a verification code whenever you sign in from a new device.
Method 2: Enable a Passkey
GitHub supports passkeys, which provide passwordless authentication using your device’s built-in security features.
To set up a passkey:
- Sign in to GitHub.
- Open Settings.
- Select Password and authentication.
- Locate the Passkeys section.
- Click Add a passkey.
- Choose your preferred device.
- Complete Windows Hello, fingerprint, or face verification.
- Save the passkey.
Passkeys are phishing-resistant and offer one of the most secure ways to access your account.
Method 3: Add a Security Key
Hardware security keys provide another highly secure authentication option.
To register one:
- Connect your security key to your computer.
- Sign in to GitHub.
- Open Settings.
- Select Password and authentication.
- Click Add security key.
- Follow the prompts.
- Touch or activate the security key when requested.
- Save the configuration.
Security keys are especially useful for developers who manage sensitive repositories.
Method 4: Download Recovery Codes
Recovery codes allow you to regain access if you lose your phone or security key.
To obtain them:
- Open Password and authentication.
- Locate Recovery codes.
- Download the recovery codes.
- Save them in a secure location.
- Avoid storing them only on your computer.
Each recovery code can be used once to access your account if your primary authentication method is unavailable.
Method 5: Add Multiple Authentication Methods
GitHub allows you to configure more than one verification method.
For example, you can use:
- Authenticator app
- Passkey
- Security key
- Recovery codes
Having multiple methods reduces the risk of being locked out of your account.
Method 6: Verify Your 2FA Setup
After enabling 2FA, confirm that everything works correctly.
To test it:
- Sign out of GitHub.
- Sign in again.
- Enter your username and password.
- Provide the verification code or use your passkey/security key.
- Confirm successful sign-in.
Testing ensures your chosen authentication method functions as expected.
Method 7: Update Trusted Devices
If you replace your phone or computer, update your authentication methods.
To do so:
- Sign in using your current verification method.
- Open Password and authentication.
- Add your new device or passkey.
- Remove outdated devices if necessary.
Keeping your authentication methods current helps maintain account security.
Method 8: Replace a Lost Authenticator Device
If you lose access to your authenticator app:
- Sign in using a recovery code or another registered authentication method.
- Open Password and authentication.
- Remove the old authenticator.
- Register your new device.
- Save a fresh set of recovery codes if prompted.
Having recovery codes available makes this process much easier.
Method 9: Review Recent Security Activity
Regularly reviewing your account activity helps detect unauthorized access.
Check for:
- Unknown login locations
- Unrecognized devices
- Unexpected security changes
- Suspicious authentication attempts
If anything looks unusual, change your password immediately and review your authentication methods.
Method 10: Keep Your Account Secure
Enabling 2FA is only part of maintaining good account security.
You should also:
- Use a unique, strong password.
- Avoid reusing passwords across websites.
- Update recovery methods regularly.
- Enable passkeys where possible.
- Review installed GitHub OAuth applications periodically.
- Remove unused personal access tokens.
- Keep your browser and operating system updated.
Combining these practices with 2FA provides much stronger protection.
Which 2FA Method Should You Choose?
Each authentication method has its own advantages:
Authenticator App
- Easy to set up
- Works offline
- Highly secure
- Recommended for most users
Passkey
- Passwordless authentication
- Resistant to phishing attacks
- Very convenient
- Supported on modern devices
Security Key
- Highest level of security
- Ideal for developers and organizations
- Protects against phishing
- Requires compatible hardware
For most users, an authenticator app combined with recovery codes provides an excellent balance between security and convenience.
Common Problems When Enabling GitHub 2FA
You may encounter issues during setup, such as:
- Incorrect verification codes due to an incorrect phone time
- Lost authenticator device
- Missing recovery codes
- Browser compatibility issues
- Unsupported security key
- Expired login session
- Network interruptions during setup
Most of these problems can be resolved by ensuring your device’s time is synchronized, using recovery codes, or trying a different browser.
Tips for Managing GitHub 2FA
To keep your account secure over time:
- Store recovery codes in multiple secure locations.
- Register more than one authentication method.
- Use passkeys if your devices support them.
- Keep your authenticator app backed up if the app offers encrypted backups.
- Regularly review your account’s security settings.
- Remove old devices that no longer have access.
- Never share verification codes with anyone.
- Be cautious of phishing websites that imitate GitHub.
Following these practices helps prevent unauthorized access and reduces the likelihood of account recovery issues.
Conclusion
Enabling Two-Factor Authentication is one of the most important steps you can take to secure your GitHub account. Whether you choose an authenticator app, a passkey, or a hardware security key, adding a second verification factor greatly reduces the risk of unauthorized access—even if your password is compromised.
After enabling 2FA, remember to save your recovery codes, consider registering multiple authentication methods, and periodically review your security settings. With these precautions in place, you’ll be better protected against phishing attacks, credential theft, and other common online threats while keeping your repositories and projects secure.
Frequently Asked Questions
1. Is an authenticator app better than SMS for GitHub 2FA?
Yes. Authenticator apps are generally more secure than SMS because they are not vulnerable to SIM-swapping attacks and do not rely on mobile network availability.
2. Can I use more than one authentication method on GitHub?
Yes. GitHub allows you to register multiple authentication methods, such as an authenticator app, passkeys, security keys, and recovery codes, making it easier to regain access if one method becomes unavailable.
3. What happens if I lose my phone after enabling GitHub 2FA?
If you have saved your recovery codes or configured another authentication method, you can use those to sign in and register a new authenticator device. Without a recovery method, regaining access may be significantly more difficult.
4. Do I need to enter a verification code every time I sign in?
Not always. GitHub may remember trusted devices and browsers, but you’ll generally be asked for your second authentication factor when signing in on a new device, after clearing browser data, or when additional verification is required for security.
