How to Set Up 2FA on GitHub with an Authenticator App

GitHub made 2FA mandatory for all contributing users in 2023. If you push code, open pull requests, or manage repositories, you need 2FA enabled. Even if you’re a private-repo-only user, your GitHub account is worth protecting — it holds your code, your SSH keys, your API tokens, and your identity in the developer ecosystem.

This guide covers setting up TOTP-based 2FA with an authenticator app, which is more secure and reliable than SMS.

Why an Authenticator App Over SMS?

GitHub supports SMS and authenticator apps for 2FA. An authenticator app is better because:

• No SIM-swapping risk. SMS codes can be intercepted by redirecting your phone number.
• Works without cell service. Authenticator apps generate codes offline — useful when you’re coding on a plane or in a basement with no signal.
• Faster. Opening your authenticator app is faster than waiting for a text message.
• GitHub recommends it. GitHub’s own documentation recommends TOTP apps over SMS.

What You’ll Need

• A GitHub account
• A phone with an authenticator app installed (FactorCat, Google Authenticator, Authy, or any TOTP-compatible app)

Step-by-Step Setup

1. Open GitHub Security Settings

Go to github.com/settings/security (or navigate to Settings → Password and authentication).

Under “Two-factor authentication,” click “Enable two-factor authentication.”

2. Choose Authenticator App

GitHub will present setup options. Select “Set up using an app” (this is the default and recommended option).

GitHub will display a QR code and a text-based setup key as a fallback.

3. Scan the QR Code

Open your authenticator app:

• In FactorCat: Tap + → Scan QR Code. Point your camera at the QR code on screen. FactorCat identifies it as a GitHub token and names it automatically.
• In other apps: Use the “Add account” or scan option.

If you can’t scan the QR code (e.g., setting up on the same device), click “enter this text code” below the QR and manually enter the setup key in your authenticator app.

4. Enter the Verification Code

GitHub will ask you to enter the current 6-digit code from your authenticator app. Type it in and click “Continue.”

5. Save Your Recovery Codes

GitHub will show you a set of recovery codes. These are critical — they’re your way back in if you lose your phone.

• Download them (GitHub gives you a text file)
• Save them somewhere safe — a password manager, a printed sheet in a locked drawer, or your authenticator app’s recovery vault if it has one
• Do not skip this. If you lose your phone and don’t have recovery codes, recovering your GitHub account requires identity verification and can take days or weeks.

Click “I have saved my recovery codes” to continue.

6. Done

GitHub will confirm 2FA is active. From now on, signing in on a new device requires your password plus a code from your authenticator app.

Using 2FA Day-to-Day on GitHub

Browser Sign-In

When you sign in to GitHub on a new device, you’ll be prompted for a 2FA code after entering your password. Open your authenticator app, enter the current code, and you’re in.

If you use an authenticator with browser auto-fill (like FactorCat with the browser extension), the code fills in automatically — no app switching needed.

Git Command Line and SSH

2FA does not affect SSH-based git operations. If you use SSH keys to push/pull, nothing changes.

For HTTPS-based git operations, you’ll need to use a personal access token (PAT) instead of your password. Generate one at github.com/settings/tokens.

GitHub CLI (gh)

The GitHub CLI handles 2FA automatically — it uses OAuth device flow or PATs. No code entry needed.

GitHub Mobile

If you’re signed into the GitHub mobile app, it can also serve as a 2FA method via push notifications. This is separate from your TOTP authenticator app and serves as an additional option, not a replacement.

Managing Multiple GitHub Accounts

If you have separate personal and work GitHub accounts, add both to your authenticator app. Most authenticator apps let you label tokens, so name them clearly: “GitHub (personal)” and “GitHub (work).”

In FactorCat, domain matching handles this automatically — the extension detects which GitHub account you’re signing into and presents the right token.

Tips

• Enable vigilant mode. In GitHub Settings → SSH and GPG keys, enable “Flag unsigned commits as unverified.” This helps identify commits that weren’t made by you.
• Review your SSH keys. Periodically check github.com/settings/keys for unrecognized keys.
• Check active sessions. Visit github.com/settings/sessions to see where you’re signed in and revoke any you don’t recognize.

Next Steps

Your code is protected. What’s next?

• Set up 2FA on AWS — if you deploy anything, protect your cloud account
• Set up 2FA on Google — your Google account is probably your identity provider
• Set up 2FA on Discord — protect your dev community accounts

---

Managing 20+ TOTP tokens across services? FactorCat pairs your phone with a browser extension — when GitHub asks for a code, your phone gets a push, you tap approve, and the code fills in automatically. No switching apps, no copying digits.