Update 2FA for Organization - not clear what to do.

[gnperdue]

Select Topic Area

Question

Body

Hi, I have a message on my GitHub home page - "Update your 2FA to see activity within the organization". If I follow the link I see that, sure enough, I have 2FA configured (authenticator app) and it is not clear at all what I need to actually do in order to satisfy the message. How do I find out? As far as I can tell, I have 2FA configured using an authenticator app (not SMS).

[irfan-sec]

Hello @gnperdue How you doing today! I bring some help for you please go through of it.

If you see the message "Update your 2FA to see activity within the organization" on your GitHub home page, but you already have two-factor authentication (2FA) configured with an authenticator app, here are a few things to check:

Verify Your 2FA Status:
Go to Settings > Password and authentication and confirm that 2FA is enabled and active. Sometimes, you may need to re-authenticate or complete a 2FA checkup if you've recently enabled or changed your 2FA method.

Check for Multiple 2FA Methods:
GitHub recommends setting up multiple 2FA methods (such as a security key in addition to your authenticator app) to avoid being locked out. If your organization requires a specific method (like a security key or GitHub Mobile), make sure you have set up that method as well. You can add or review your 2FA methods in your 2FA settings.

Complete the 2FA Checkup Period:
After enabling 2FA, your account may enter a 28-day checkup period. You must successfully perform 2FA within this window, or you will be prompted to reconfigure your 2FA settings to retain access. If you are in this period, follow any prompts to verify your 2FA is working [Configuring two-factor authentication].

Organization Requirements:
Your organization may require 2FA for all members. If your 2FA isn't recognized or active, you might temporarily lose access to organization resources. Ensure your 2FA method matches your organization's requirements [About two-factor authentication].

Reconfigure If Needed:
You can reconfigure your 2FA method without disabling it, which may resolve the warning without losing organization access. See Changing your two-factor authentication method.

If you continue to see the message after confirming all the above, try logging out and back in, or contact your organization's administrator for further guidance. For more details, see the official documentation:

Configuring two-factor authentication
About two-factor authentication

[Wealthometer]

What to check

Here are likely reasons the message still appears even though you’ve enabled a TOTP/authenticator app:

Method not “secure enough” by org policy
The organization may require “secure 2FA methods” (i.e. not SMS, maybe requiring security keys, passkeys, or “authenticator apps + hardware” etc.). If your current 2FA setup is considered “insecure” by the org (e.g. only SMS, or maybe no backup method), it doesn’t count.

Missing backup / recovery options
Sometimes having multiple 2FA methods (e.g. authenticator app plus security key or passkey) or saved recovery codes is required. Without backups, even good TOTP may not satisfy policy. (GitHub docs encourage adding more than one method & recovery codes)

Your account isn’t fully recognized as meeting the compliance yet
Maybe your 2FA was enabled recently, and there’s a “check up” / grace / propagation period, during which GitHub is verifying everything. It could also be a sync or policy update delay.

You’re using a method that the org disallows
If the org has said “no SMS” or “must have hardware key / passkey / security key,” and you’re using app-only, that could be flagged. Or if your app isn’t one GitHub considers acceptable for “secure methods”.

You don’t have recovery codes saved
If you never downloaded or stored your recovery codes, that might also be considered non-compliant by some stricter org rules. (Because if your device gets lost you’d be locked out.)

Steps to make it go away (i.e. meet org policy)

Here’s what you can do to satisfy that message:

Go to Settings → Password and authentication on GitHub (in your account).

Under Two-factor authentication:

Verify you have a TOTP app set up and working.

Add another 2FA method if possible (security key, passkey, GitHub mobile app, etc.).

Download & safely store your recovery codes.

Check which 2FA methods your org requires. If you’re an org member, go to the organization → People → see what “Two-factor authentication” status you have (secure/insecure/disabled).
GitHub Docs

If your method is insecure or missing something, switch to a “secure method,” or add one. For example, add a hardware key or passkey.

Once all that is set, give GitHub a bit of time to update/compliance verify; the notification might clear after their system confirms your account meets the org’s policy.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬