I received an email from GitHub regarding two-factor authentication, what should I do?

[arsci]

I received an email from GitHub regarding two-factor authentication. What is the impact of this change? Is there any action I need to take?

---

Tracked in ticket #110408

[arsci]

What’s changing?

Last year, GitHub announced that they would be requiring two-factor authentication (2FA) to be enabled for certain contributors, and have begun rolling out this requirement in groups starting March 2023. As this requirement is rolled out, all users in these groups will receive emails regarding the change. If you have received one or more of these emails from GitHub and you do not have two-factor authentication configured by the specified deadline, your GitHub access will be restricted.

Benefits of two-factor authentication

Two-factor authentication provides a second layer of login protection beyond just a password, enforcing a robust defense-in-depth approach to authentication. There are multiple types of two-factor authentication, most of which involve entering a unique generated code to validate a login attempt.

GitHub supports several two-factor authentication methods such as a security key, GitHub Mobile, authenticator app (TOTP) and text message, and recommends enabling at least two options. Having multiple options enabled is beneficial in the event you lose the ability to access to one of your second factors. If you lose access to all of your GitHub two-factor authentication methods, the only way to access your GitHub account is with your recovery codes (which get set up when you enable 2FA) so be sure to save these in a safe place!

How does this impact me?

If you haven’t received these emails, no action is required. If you have, then:

• If you already have two-factor authentication enabled, these emails are purely informational and a reminder not to disable two-factor authentication.
• If you do not have two-factor authentication enabled, enable it by the deadline specified in the emails, or your access to GitHub will be restricted.

What about machine users?

If you are utilizing separate GitHub user accounts as machine users with Gruntwork, don’t forget to configure two-factor authentication on those accounts to avoid any disruptions to automated deployments. We recommend enabling two-factor authentication for machine users proactively, since emails to those accounts often go unnoticed.

Note that enabling two-factor authentication for these users will not interfere with your automations, as neither the GitHub PAT nor SSH key usage require a second authentication factor. When setting up 2FA for machine users, we recommend using a shared password store for credentials and recovery codes, and/or adding multiple devices, so that access to the account isn’t restricted to a single team member.

Still have questions?

For additional information on how GitHub plans to roll this change out, please refer to the official GitHub blog post announcement. If you have any questions or concerns, please email [email protected] or reach out to our Community Slack Workspace.