authentication

Passkeys are a replacement for passwords when signing in, providing higher security, ease-of-use, and loss-protection. They're now available on GitHub.com as a public beta – see this blog post for more information.

This public beta is open to all users with a password, regardless of whether you use 2FA. To get started, enable passkeys as a feature preview.

By using passkeys, you no longer need to enter a password, or even your username, when you sign in – nor do you need to perform 2FA, if you have 2FA enabled on your account. That's because passkeys validate your identity, as well as possession of a device, so they count as two authentication factors in one.

Once enrolled, you can register a brand new passkey and upgrade many security keys to a passkey. If you're enrolled in the preview, the next time you use an eligible security key you'll be asked to upgrade it.

To learn more, check out this blog post about passkeys, as well as "About passkeys" in our documentation. If you have any feedback, please drop us a note in our public discussion – we're excited for this advance in account security, and would love to understand how we can make it better for you.

During two-factor authentication and when entering sudo mode for sensitive actions on GitHub.com, TOTP codes could be successfully used multiple times within their validity window. To improve security, this reuse is no longer allowed on GitHub.com, and will be updated in GHES with version 3.10.

Systems that have attempted to script the login flow, across multiple parallel jobs, may break as a result of this change.

Learn more about two-factor authentication with TOTP.

You can now set up both SMS and an authenticator app (TOTP) for two-factor authentication on your GitHub.com account. Previously these methods were mutually exclusive, and you needed to create a "fallback" SMS registration that could be used for account recovery.

With this update, we are removing the fallback SMS option, and will migrate all fallback SMS registrations to be standard 2FA methods today. A small set of users had both a primary and fallback SMS registration on their account – they continue to have that fallback SMS registration, and will receive email about it today.

To learn more about setting up 2FA and GitHub's account recovery methods, see "Configuring 2FA" and "Configuring 2fa recovery methods"

The Primary field on two-factor authentication methods has been removed, and replaced with a Preferred option. This new option sets your preferred 2FA method for account login and use of the sudo prompt. You can choose between TOTP, SMS, security keys, or GitHub Mobile as your preferred 2FA method.

Additionally, you can now update your 2FA methods inline at https://github.com/settings/security, rather than going through the initial 2FA setup flow again.

With this change, device-specific preferences for 2FA have been removed – each login will always default to your preferred method. If you previously set a default on one of your devices, your most recent choice has been copied to your account-wide preference. Otherwise, no preference will be set, and GitHub will select from your available second factors in this order: security keys, GitHub Mobile, TOTP, and then SMS.

To learn more, see "Changing your preferred two-factor authentication method" and "Configuring two-factor authentication".

You can now unlink your email address from a two-factor enabled GitHub account in case you’re unable to sign into it or recover it. When the worst occurs, and a user is unable to find an SSH key, PAT, or a device that’s been previously signed into GitHub in order to recover their account, they may want to start fresh with a new GitHub.com account. Since accounts on GitHub are required to each have a unique email address, though, locked out users can have difficulty starting a new account using their preferred email address.

In the 2FA recovery flow, a new option is presented at the bottom of the page, which will allow a user to remove their email address from a GitHub account:

Selecting this option will send emails to each of the addresses on file for the account, each one containing a unique link. Following the link will remove the respective email address from the GitHub account, making it available again for a new account.

For more information, see Unlinking your email from a locked account.

GitHub.com users who set up two-factor authentication will see a prompt after 28 days, asking them to perform 2FA and confirm their second factor settings. This prompt helps avoid account lockout due to misconfigured authenticator applications (TOTP apps), especially those that failed to save the TOTP secret after validating it during set up.

This prompt appears in existing sessions if you haven't already performed 2FA as part of a sudo prompt or signing in on another device. If you find that you can't perform 2FA, you'll be presented with a shortcut that allows you to reset your 2FA setup.

All users that enable 2FA will be eligible for this prompt, including users required to enable it by their organization or GitHub itself.

To learn more about two-factor authentication, see "Configuring two-factor authentication".

As we prepare for next year's 2FA requirement for active contributors on GitHub, we're making improvements to our two-factor setup UI to encourage best practices and ensure new 2FA users have their authentication factors set up correctly from the start.

We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.

If you wish to use SMS when setting up 2FA, you can switch your authentication method via the new option at the bottom. In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

For more information, see "Configuring two-factor authentication".