Posted on

What You Need To Know Before Using GitHub Two Factor Authentication


Is your company using Two Factor Authentication for Github and you’re required to use it for your account? Or you just like security and find it more secure to add Two Factor Authentication to your Github account? Here’s few things that you need to know before using it

Why

I added Two Factor Authentication to my Github because of the company requirements that I’m working for. So I set it up using Google Authenticator Android app. You scan a barcode from Authenticator app which adds this Github account. Then you get prompted with 16 recovery codes that you can use in case your phone is lost, broken or you can’t access it in any other way

They have Download, Print buttons or you can just copy/paste it somewhere. But they are NOT actually being sent to your email. So if you just click next, next, next and ignore those codes – you’re halfway fucked

Fortunately, I saved them

How it works is when logging in to Github you enter email, password and then a code from Google Authenticator app

Problem With Authenticator app

Authenticator app is really convenient. But the problem here is it’s not reliable. The problems started when my Nexus 6p got into a bootloop and I started to factory reset, fix it myself multiple times, attempting to fix it

This removed Authenticator app and unfortunately it’s not synced with Google account, so you can’t just log in with Google to Authenticator app and get your accounts back. It’s considered a new device. There is some way probably to add new device to your scanned accounts

Recovery codes

So your phone is broken, lost or you sold it, everything will still be working, but 6 months later you get a new computer or reinstall your OS or just clear browser cache. Now out of nowhere you get asked to enter Two Factor Authentication and your Authenticator app doesn’t have Github account in it

At this point you’d better have those recovery codes save somewhere and easy to access

I did, but there’s something really weird with them. Github customer service is really great, they told me those codes are single use only, so each time you’ll have to use another one. But many of them didn’t work for me even before I started using them.

And now I don’t know – should you get new recovery codes after using one or they remain same?

Either way, if none of them work – it’s kind of the moment when you can start panicking

In the last few months, I had several changes: my 6p got broken, I changed HDD to SSD with reinstalling OS so I was asked to enter Two Factor Authentication codes several times. In many cases Github wasn’t on my Authenticator app, so I had to use recovery codes

After about 3rd time of using recovery codes (this experience is kind of stressful because many of them don’t work at that point)
I realized I needed to add some other fallbacks. So luckily I added Facebook recovery token

Fallbacks

Few months went by and I cleared my browser cache. Surprise – Two Factor Authentication required and my phone is still broken, none of the recovery codes work. Fortunately, there’s a Facebook token that you can still use. Follow the instructions from here if you’re in this situation

After you used Facebook token – you won’t get logged in, but Github guys will get some message. Contact them and confirm that you want to remove Two Factor Authentication from your account

After few hours you’ll get able to login with just email and password

Add As Many Fallbacks As Can

At this point I realized that it’s really bad to rely on just one Authenticator app, so my advice – add SMS, Facebook, keeps those recovery codes in easy access

If you still can’t log in – they told me you will have to create a new account, it’s not like they can send you recovery codes to your email like when you forget a password. This Two Factor Authentication is a really serious thing. I can’t stress it enough, it really pissed me off several times

I probably should’ve gone with SMS verification at the first place, but once again, you can easily change your phone number any time

So just don’t rely on one option. This is NOT like with forgetting a password

And don’t forget to subscribe, follow me on Twitter, Facebook, G+ to get notified about the latest posts!