Mandatory Github 2FA before May 2 2026

[mik284]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Security and Privacy

Body

Hi @everyone,

Now that GitHub will require 2FA before May 2, 2026.

I have a problem with this. I am from Kenya and SMS verification is not supported for the 2FA. The other option is using an authenticator app by scanning a QR code.

But what if someone doesn’t have a smartphone?

Not everyone can install apps like Google Authenticator. Some people only have basic phones or use shared devices.

So I am wondering:

Is there any other way to enable 2FA without a smartphone?
Can we use something else instead?
What should people in this situation do?

I feel like this might lock some of us out of our accounts.

Any help or advice would be appreciated.

Thanks.

[asaddevx]

Hi @mik284, this is a completely valid concern, and you're not alone — many developers in Kenya and other unsupported countries face the same issue.

The good news is that you have several options that don't require a smartphone. Here's a complete guide:

---

Option 1: Desktop Authenticator Apps (No Smartphone Needed)

You can install a TOTP authenticator app directly on your computer. These work exactly like Google Authenticator but run on Windows, Mac, or Linux:

App	Platform	Notes
Authy Desktop	Windows, Mac, Linux	Syncs across devices, has backup
WinAuth	Windows only	Lightweight, portable
Authenticator.cc	Browser-based	Works in any browser
KeePassXC	Windows, Mac, Linux	Password manager with built-in TOTP

How to set up:

1. Install the app on your computer
2. In GitHub Settings → Password and authentication → Set up authenticator app
3. Scan the QR code using your computer's screen (or enter the secret key manually)
4. Enter the 6-digit code from the app

---

Option 2: Hardware Security Key (Most Secure)

A physical security key like a YubiKey is a small USB device that generates codes without any phone or computer app [citation:2].

How it works:

• Plug the key into your USB port
• Touch the button when GitHub asks for 2FA
• No battery, no app, no smartphone needed

Where to buy (ships to Kenya):

• YubiKey 5 Series (~$45-55) — Official site or Amazon
• SoloKey (~$35) — Open source alternative [citation:6]
• OnlyKey — Also supports TOTP codes [citation:9]

These are phishing-resistant and work offline — many developers consider them the gold standard for 2FA [citation:2].

---

Option 3: Backup Codes (Free, No Device Needed)

When you set up 2FA, GitHub gives you 16 one-time backup codes [citation:3]. These work without any app or phone.

What to do:

1. Enable 2FA using a temporary method (borrow a friend's phone or use a desktop app once)
2. Download and save your recovery codes immediately [citation:7]
3. Print them out or save them in a secure place (password manager, encrypted USB drive)
4. Use these codes to log in if you lose access to your main method

Important: Each code works only once, but you can generate new codes anytime [citation:3].

---

Summary Table

Method	Cost	Smartphone Needed?	Security Level
Desktop Authenticator App	Free	❌ No	Good
Hardware Security Key (YubiKey)	~$45-55	❌ No	Excellent
Backup Codes	Free	❌ No	Good (one-time use)

---

My Recommendation for You

Since you're in Kenya and don't have a smartphone:

1. Short-term: Use Authy Desktop (free, works immediately)
2. Long-term: Buy a YubiKey if you can afford it — it works offline and can't be hacked remotely
3. Always: Save your backup codes somewhere safe (printed or encrypted)

---

Important: Save Backup Codes First!

Whatever method you choose, save your recovery codes during setup [citation:10]. Write them down on paper and keep them somewhere safe. If you ever lose access to your authenticator, these codes are the only way back into your account.

---

You won't be locked out — there are always alternatives!

[sanath-kumar-s]

Probably I don't think you actually need a smartphone for GitHub 2FA

GitHub’s two-factor authentication is based on TOTP (Time-based One-Time Passwords), which isn’t limited to mobile apps. You can generate these codes on a regular computer as well.

Here are a few workable options:

1. Desktop authenticator apps

You can install an authenticator directly on your PC (for example, WinAuth, Authy Desktop, or password managers like 1Password).
During GitHub’s 2FA setup, instead of scanning the QR code, click “enter setup key manually” and paste that key into the desktop app.

2. Browser extensions

There are browser extensions that generate TOTP codes inside Chrome/Firefox. These work similarly to mobile authenticators and don’t require any phone.

3. Hardware security keys (FIDO2)

If you prefer a physical device, you can use a USB security key such as a YubiKey. You just plug it in when logging in and tap it to confirm. This is usually the most secure option.

4. Generating codes via Python (advanced)

If you’re comfortable with scripting, you can generate TOTP codes using Python and the pyotp library. This works using the same setup key GitHub provides during configuration.

5. Always save your recovery codes

When enabling 2FA, GitHub gives you recovery codes. Store them safely—these let you log in even if you lose access to your authenticator.

[queenofcorgis]

Hey there! We know 2FA may be a new process for some folks and with that comes questions. We put together a FAQ that will help answer your concerns above. If you still have more questions, feel free to ask them here.

[itxashancode]

Enabling GitHub 2FA without a smartphone

GitHub’s upcoming requirement (effective May 2 2026) means every account must have a second factor. If you can’t use SMS or a mobile authenticator app, you still have several reliable options that work from a basic computer or with a low‑cost hardware token.

---

1. Use a desktop‑based TOTP authenticator

A Time‑Based One‑Time Password (TOTP) app does not need a smartphone; many run on Windows, macOS, or Linux.

Tool	Platform	How to get it
WinAuth	Windows	https://winauth.sourceforge.io/
Authy Desktop	Windows/macOS/Linux	https://authy.com/download/
KeePassXC (with TOTP plugin)	Windows/macOS/Linux	https://keepassxc.org/
OATH Toolkit (command line)	Linux/macOS/WSL	sudo apt install oath-toolkit (Debian/Ubuntu)

Setup steps

1. Generate the secret key – GitHub shows a QR code when you choose “Set up using an app”.
   • If you can’t scan the QR code, click “Enter this secret key manually” and copy the 16‑character base‑32 string.
2. Enter the secret into your desktop TOTP app
   • WinAuth: Add → “Time-based” → paste the secret → OK.
   • Authy Desktop: + → “Enter key manually” → paste → Save.
   • KeePassXC: Entries → New Entry → TOTP tab → paste secret → OK.
   • OATH Toolkit: oathtool --totp -b <secret> generates the code.
3. GitHub verification – Enter the 6‑digit code shown by the app into GitHub’s prompt and click Enable.
4. Save backup codes – GitHub will display a set of one‑time recovery codes. Download or print them and store them safely (e.g., in a locked drawer or encrypted USB stick).

Reference – Configuring two‑factor authentication via an authenticator app

---

2. Register a hardware security key (U2F/WebAuthn)

A FIDO2/U2F security key (YubiKey, Google Titan, SoloKeys, etc.) works via USB, NFC, or Bluetooth and needs no phone.

How to add a key

1. Plug the key into a USB port (or tap it via NFC).
2. Go to GitHub → Settings → Security → Security keys → Add security key.
3. Follow the browser prompt; you’ll usually just touch the key’s metal disc or button.
4. Give the key a recognizable name (e.g., “YubiKey‑Kenya”).

You can register multiple keys; keep one as a backup in a safe place.

Reference – Configuring two‑factor authentication via a security key

---

3. Rely on backup codes for recovery

If you lose access to your TOTP app or security key, the backup codes let you log in once each.

• Store them offline (paper printout, encrypted USB stick, or a password‑manager entry protected by a strong master password).
• Treat each code like a password: never share it, and regenerate a new set after you use one (Settings → Security → Two‑factor authentication → Regenerate backup codes).

Reference – Recovering your account if you lose your 2FA credentials

---

4. Test your setup

After enabling 2FA, verify that you can still authenticate:

# Using SSH (if you have an SSH key set up)
ssh -T git@github.com
# You should see: Hi <username>! You've successfully authenticated...

# Using GitHub CLI (requires gh >= 2.0)
gh auth login   # choose "Login with a web browser" → complete 2FA prompt

If either command succeeds, your 2FA method is working.

---

5. What to do if you truly have no device at all

• Borrow a trusted computer (library, internet café, friend’s PC) just long enough to register a security key or save backup codes.
• Once the key is registered, you can use it on any computer that has a USB port—no further software installation is required.
• Keep the backup codes in a physically secure location; they are your fallback if the key is ever lost or damaged.

---

Quick checklist

• Install a desktop TOTP app or obtain a FIDO2/U2F security key.
• In GitHub Settings → Security → Enable 2FA → choose “Set up using an app” (TOTP) or “Add security key”.
• Scan the QR code or manually enter the secret key.
• Enter the generated 6‑digit code (or tap the key) to confirm.
• Download and store backup codes offline.
• Test login with SSH or gh auth login.
• Store a second security key or extra backup codes in a safe place as a contingency.

By using a desktop TOTP program or a hardware security key, you can satisfy GitHub’s 2FA mandate without needing a smartphone or SMS capability. These methods are officially supported, widely tested, and provide the same level of protection as mobile‑based authenticators.

---

Further reading

• About two‑factor authentication
• Configuring 2FA via an authenticator app
• Configuring 2FA via a security key

Feel free to ask if you need clarification on any of the steps!

[mik284]

used the desktop‑based TOTP authenticator by installing oath-tool on my Linux(fedora), and it worked