Multi-factor authentication defaults to mobile app

[effleurager]

As it stands, there is no mechanism to prevent using GitHub's mobile app as the default additional authentication factor when signing in to browsers with no stored cookies.

This breaks existing login flows for users of password managers since they can no longer use TOTP generators automatically. This is also a problem for users who have uninstalled the app but still get prompted for the app authentication.

Why is there no method to remove authentication factors?

[eliperkins]

Hey @effleurager, thanks for your feedback here. I hear your frustration about how multi-factor authentication defaults to GitHub Mobile when you have other factors enabled like TOTP.

I've shared your notes with our team on an internal tracking issue about giving users more control over GitHub Mobile as an authentication method and prioritizing other multi-factor methods over GitHub Mobile without relying on stored cookies. We'll look to improve on the current implementation to give users more control here.

In the meantime, if you've uninstalled GitHub Mobile, revoking the GitHub Mobile OAuth apps will remove them as a multi-factor method when logging in. You can find revoke either app here:

• GitHub for Android
• GitHub for iOS

Thanks for helping us improve the security experience here at GitHub!

[melvincwng]

Thanks, I was also facing the same issue as the OP as well.

[natevaughan]

I'm another user who had to uninstall the mobile app because it becomes the default 2FA method.

From a product/experience standpoint, if someone has configured TOTP for 2FA, why would you change their settings when they install an app? That my settings changed without my consent came as quite a surprise to me, and an even bigger surprise when I discovered there was no way to override the default. Felt like a rare product stumble to me.

[natevaughan]

Update: I revoked the GitHub Mobile OAuth apps using the link above and I'm still getting mobile 2FA as the default.

I also tried reinstalling the mobile app, signing out, and then removing the app. Still getting the mobile 2FA as the default.

[ashtonian]

This is pretty half baked and annoying ux.

• I don't want to use the mobile app for 2fa.
• The "Use this method for future logins" checkbox implies that this is a global setting but it seems to be a cookie setting which is useless as I often don't re login to GitHub in my home browsers.
• The settings -> Password and authentication -> Two-factor authentication section has a "Primary two-factor method" option which would seem to indicate preference, and it does.. until you install the mobile app.
• Simply uninstalling the mobile doesn't work, you have to revoke its access in the settings for this to get fixed.

[eliperkins]

Thanks for your feedback, y'all! Today, we've shipped a new feature that allows for setting a preferred option for two-factor authentication. This will allow you to set other two-factor authentication methods to be used before another option. Go to Settings > Password and Authentication on GitHub.com in your browser to set a different preferred two-factor option.

Additionally, GitHub Mobile sessions can be revoked within Settings as well: