How to Use a FIDO Key with GitHub

Apr 13th 2020

How to Use a FIDO Key with GitHub

Configuring two-factor authentication using a security key

After you configure 2FA using a mobile app or via text message, you can add a security key, like a fingerprint reader or Windows Hello. For more information, see "WebAuthn".

Authentication with a security key is secondary to authentication with a TOTP application or a text message. If you lose your hardware key, you'll still be able to use your phone's code to sign in.

WebAuthn (formerly known as U2F) currently works on all modern browsers, except Safari. For more information on supported browsers, see "Can I Use."

If you're authenticating to GitHub on an Android phone, you can use your fingerprint or your security key and Google Authenticator to sign into your account with Near Field Communication (NFC).

  1. You must have already configured 2FA via a TOTP mobile app or via SMS.
  2. Ensure that you have a WebAuthn compatible security key inserted into your computer.
  3. In the upper-right corner of any page, click your profile photo, then click Settings.

    Settings icon in the user bar

  4. In the user settings sidebar, click Security.

    Security settings sidebar

  5. Next to "Security keys", click Add.

    Add security keys option

  6. Under "Security keys", click Register new security key.

    Registering a new security key

  7. Type a nickname for the security key, then click Add.

    Providing a nickname for a security key

  8. Activate your security key, following your security key's documentation.

    Prompt for a security key

  9. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. If you lose access to your account, you can use your recovery codes to get back into your account. For more information, see "Recovering your account if you lose your 2FA credentials."

    Download recovery codes button

  10. After you've saved your recovery codes and enabled 2FA, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.