How to remove me from the Force-to-use-2FA account list?

[NanaGlutamate]

Select Topic Area

Question

Body

I have build a release for a small repository of mine just for test, which triggered Force-to-use-2FA on me. But, it's not convenient to use 2FA in China. Since I've already delete the release of that repository, is there a way to remove me from the Force-to-use-2FA list?
releated blog: https://github.blog/news-insights/product-news/raising-the-bar-for-software-security-github-2fa-begins-march-13/

[s3raph-x00]

I know it's not convenient but I would use the Duo APK from https://dl.duosecurity.com/DuoMobile-latest.apk. There are a few work arounds for not being able to leverage the Google Play store's APIs/Push notification but the work arounds are roughly discussed here: https://www.coloradocollege.edu/offices/its/guides/mfa-china.html.

Another alternative is Microsoft Authenticator which Microsoft describes here:

https://support.microsoft.com/zh-cn/account-billing/%E5%9C%A8%E4%B8%AD%E5%9B%BD%E4%B8%8B%E8%BD%BDmicrosoft-authenticator-ebbef05c-a429-4236-8570-1bb1900fec35#ID0EBJ=Android

Hopefully that helps.

[NanaGlutamate]

thanks for your help, I will try it!

[DeveloperVaibhav1]

I understand that the 2FA requirement is applied at the account level and may not be removed even if the release is deleted. If there is no way to opt out, I will try using an offline authenticator app like Aegis or Microsoft Authenticator. I will also contact GitHub Support to see if they can review my account.

[AakashSingh07]

Once your account has been flagged under GitHub’s Force-to-use-2FA policy, there usually isn’t a direct way to remove your account from that list manually. This requirement is part of GitHub’s broader security initiative designed to protect repositories, maintainers, and contributors from account compromise. When GitHub determines that an account has performed certain sensitive actions (for example publishing packages, creating releases, contributing to important repositories, or interacting with widely used projects), the system may automatically require two-factor authentication (2FA) for that account.

The key point is that this requirement is account-level, not repository-level. That means even if you delete the repository that originally triggered the requirement, the security flag can still remain associated with your GitHub account. Because of this, there is currently no official option in account settings to “opt out” of the mandatory 2FA requirement once it has been applied.

However, enabling 2FA does not necessarily mean you must rely on SMS verification or a specific mobile service. GitHub supports several different authentication methods that are often more convenient and secure. One of the most common alternatives is using a TOTP authenticator application, which generates time-based verification codes locally on your device. Popular examples include Microsoft Authenticator, Authy, Aegis, and FreeOTP. These apps do not require continuous internet access or Google services once they are set up, making them useful in restricted environments.

Another option is to use hardware security keys such as YubiKey or other FIDO2-compatible devices. Hardware keys provide strong security and can be used as the second authentication factor without relying on SMS or mobile networks. For many developers, this is actually the preferred method because it is both fast and resistant to phishing attacks.

GitHub also provides recovery options once 2FA is enabled. When you activate two-factor authentication, GitHub generates a set of backup recovery codes that you can store securely. These codes allow you to regain access to your account if you lose your authenticator device or hardware key. Keeping these recovery codes in a secure location is strongly recommended.

If your concern is mainly convenience during testing or experimentation, the practical solution is simply to enable one of the authenticator-based methods. The setup process usually takes only a few minutes and does not require linking your phone number. Once configured, logging in becomes a quick process where you enter your password and the current code generated by the authenticator app.

In short, the Force-to-use-2FA list is not something that can typically be removed manually, because it is part of GitHub’s platform-wide security enforcement. The best approach is to enable one of the supported 2FA methods (preferably TOTP or a hardware key), which satisfies the requirement while remaining convenient for everyday use.

[DeveloperVaibhav1]

Once an account is placed under GitHub’s mandatory 2FA requirement, there usually isn’t a way to remove it manually. This requirement is applied at the account level as part of GitHub’s security policies, often triggered when an account performs certain sensitive actions (such as publishing packages, creating releases, or contributing to widely used repositories). Even if the repository that originally triggered it is deleted, the requirement can still remain on the account.

Since there’s no option to opt out once it’s applied, the practical solution is simply to enable two-factor authentication.

You don’t have to rely on SMS for this. GitHub supports several alternatives that are often more reliable:

• Authenticator apps (TOTP) such as Microsoft Authenticator, Authy, Aegis, or FreeOTP. These generate time-based codes on your device and don’t require SMS or Google services after setup.
• Hardware security keys like YubiKey or other FIDO2-compatible devices, which provide strong security and quick authentication.

When enabling 2FA, GitHub will also provide backup recovery codes. It’s important to store these safely so you can recover your account if you lose access to your authenticator device.

In short, the Force-to-use-2FA requirement generally can’t be removed manually, but enabling an authenticator app or hardware key usually takes only a few minutes and satisfies the requirement without needing SMS verification.

[NanaGlutamate]

@DeveloperVaibhav1 @AakashSingh07 @Priyans17 stop sending AI generated SPAM comment plz.

[AakashSingh07]

Hi @NanaGlutamate,

Thanks for pointing that out. My intention was to contribute and help with the discussion, not to spam or post low-quality replies. If any of my comments came across that way, I appreciate the feedback and will be more careful to keep them concise and relevant.

I’m still learning and trying to participate constructively in the community. If there are specific guidelines you recommend for improving contributions here, I’d be happy to follow them.

Thanks for the clarification.