2FA not required?

[mimoihong]

Select Topic Area

Question

Body

Hi, last year GitHub enforced the 2FA policy and even users who didn't have it turned on before, like me, were required to enable it.
Now I just discovered that my friend, who have also uploaded several repositories already, doesn't require 2FA to log in and still uses the email verification. How is this possible?

[Dhreetiman]

It's possible that your friend hasn't been required to enable 2FA on GitHub yet because the platform rolls out mandatory 2FA requirements in phases, meaning not every user is forced to enable it at the same time. Here are a few reasons why your friend might not be seeing the 2FA requirement:

• Phased Rollout:

GitHub typically implements new security features like mandatory 2FA gradually to different user groups. If your friend hasn't been included in the group that needs to enable 2FA yet, they might still be able to log in with just their password and email.

• Account Activity Level:

GitHub might prioritize requiring 2FA for users with high activity levels, like frequent code contributions or access to sensitive repositories. If your friend has a less active account, they might not be flagged as needing 2FA yet.

• Organization Membership:

If your friend is part of an organization on GitHub, the organization administrator might have different 2FA requirements set for their members, which could allow your friend to bypass the mandatory 2FA for individual accounts.
What your friend should do:

• Check their settings:

Even if they aren't currently required to use 2FA, your friend should still go to their GitHub settings and enable it proactively to enhance their account security.

• Watch for notifications:

GitHub will typically send notifications to users when they are required to set up 2FA, so your friend should keep an eye out for any such emails or banners on the platform.

[f5vmr]

Please examine the 2FA QR Code. In the last few days I have been able to access my account as the QRCode was providing incorrect numbers. You have kindly allowed me further access since where the QRCode and its 2FA genration has entirely different numbers. If anyone else is suffering from EvilSophieTheKing, then I fear that Github has suffered a QRCode Hack.

[tomekczm]

For anyone with the same issue - you scanned the example code on https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication