Skip to main content

Enterprise Server 3.15 в настоящее время доступен в качестве кандидата на выпуск.

Настройка двухфакторной проверки подлинности

Вы можете выбрать один из нескольких вариантов для добавления второго источника проверки подлинности в учетную запись.

You can configure two-factor authentication (2FA) using a TOTP app on mobile or desktop. After you have configured 2FA using a TOTP app, you can then also add security keys as alternate 2FA methods.

We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA. Many TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.

Warning

  • If you're an outside collaborator to a private repository of an organization that requires 2FA, you must leave the organization before you can disable 2FA.
  • If you're a member of an organization that requires 2FA, you will be unable to access that organization's resources while you have 2FA disabled.
  • If you disable 2FA, you will automatically lose access to the organization. To regain access to the organization, if you're a member, you must re-enable 2FA. If you're an outside collaborator, you will also lose access to any private forks you have of the organization's private repositories after disabling 2FA, and must re-enable 2FA and contact an organization owner to have access restored.

Note

You can reconfigure your 2FA settings without disabling 2FA entirely, allowing you to keep both your recovery codes and your membership in organizations that require 2FA.

Configuring two-factor authentication using a TOTP app

A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. These apps can be downloaded to your phone or desktop. We recommend using cloud-based TOTP apps. GitHub is app-agnostic when it comes to TOTP apps, so you have the freedom to choose any TOTP app you prefer. Just search for TOTP app in your browser to find various options. You can also refine your search by adding keywords like free or open source to match your preferences.

Tip

To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time or save the "setup key", which is the TOTP secret. If 2FA is already enabled and you want to add another device, you must re-configure your TOTP app from your security settings.

  1. Download a TOTP app of your choice to your phone or desktop.

  2. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.

  3. In the "Access" section of the sidebar, click Password and authentication.

  4. In the "Two-factor authentication" section of the page, click Enable two-factor authentication.

  5. Under "Scan the QR code", do one of the following:

    • Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on GitHub Enterprise Server.
    • If you can't scan the QR code, click setup key to see a code, the TOTP secret, that you can manually enter in your TOTP app instead.

    Screenshot of the "Setup authenticator app" section of the 2FA settings. A link, labeled "setup key", is highlighted in orange.

  6. The TOTP application saves your account on your GitHub Enterprise Server instance and generates a new authentication code every few seconds. On GitHub Enterprise Server, type the code into the field under "Verify the code from the app."

  7. Under "Save your recovery codes", click Download to download your recovery codes to your device. Save them to a secure location because your recovery codes can help you get back into your account if you lose access.

  8. After saving your two-factor recovery codes, click I have saved my recovery codes to enable two-factor authentication for your account.

  9. Optionally, you can configure additional 2FA methods to reduce your risk of account lockout. For more details on how to configure each additional method, see "Configuring two-factor authentication using a security key"

Manually configuring a TOTP app

If you are unable to scan the setup QR code or wish to setup a TOTP app manually and require the parameters encoded in the QR code, they are:

  • Type: TOTP
  • Label: GitHub:<username> where <username> is your handle on GitHub, for example monalisa
  • Secret: This is the encoded setup key, shown if you click "Setup key" during configuration
  • Issuer: GitHub
  • Algorithm: The default of SHA1 is used
  • Digits: The default of 6 is used
  • Period: The default of 30 (seconds) is used

Configuring two-factor authentication using a passkey

Passkeys allow you to sign in securely to GitHub in your browser, without having to input your password.

If you use two-factor authentication (2FA), passkeys satisfy both password and 2FA requirements, so you can complete your sign in with a single step. If you don't use 2FA, using a passkey will skip the requirement to verify a new device via email. You can also use passkeys for sudo mode and resetting your password. See "About passkeys."

Note

Platform authenticators like Windows Hello, Face ID, or Touch ID can be registered as a passkey instead.

  1. You must have already configured 2FA via a TOTP mobile app.
  2. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.
  3. In the "Access" section of the sidebar, click Password and authentication.
  4. Under “Passkeys”, click Add a passkey.
  5. If prompted, authenticate with your password, or use another existing authentication method.
  6. Under “Configure passwordless authentication”, review the prompt, then click Add passkey.
  7. At the prompt, follow the steps outlined by the passkey provider.
  8. On the next page, review the information confirming that a passkey was successfully registered, then click Done.

Configuring two-factor authentication using a security key

Not all FIDO authenticators can be used as passkeys, but you can still register those authenticators as security keys. Security keys are also WebAuthn credentials, but unlike passkeys they don't require user validation. Since security keys only need to verify user presence, they only count as a second factor and must be used in conjunction with your password.

Registering a security key for your account is available after enabling 2FA with a TOTP application. If you lose your security key, you'll still be able to use your phone's code to sign in.

  1. You must have already configured 2FA via a TOTP mobile app.

  2. Ensure that you have a WebAuthn compatible security key inserted into your device.

  3. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.

  4. In the "Access" section of the sidebar, click Password and authentication.

  5. Next to "Security keys", click Add.

    Screenshot of the "two-factor methods" section of the 2FA settings. A gray button labeled "Add" is outlined in orange.

  6. Under "Security keys", click Register new security key.

  7. Type a nickname for the security key, then click Add.

  8. Following your security key's documentation, activate your security key.

  9. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. For more information, see "Configuring two-factor authentication recovery methods."

Further reading