Erroneous GitHub warning messages about Multi-Factor Authentication #129244
-
Select Topic AreaBug BodyGitHub has begun showing me a yellow warning message which says:
In addition, I see the following warning message in the Password and authentication tab:
Contrary to the above messages, I do not have SMS-based authentication enabled for my account, let alone as the sole second-factor authentication method. First, SMS-based authentication is disabled. Second, I have code-based MFA enabled, which is a widely-supported open standard, as well as the security codes provided by GitHub. Taken together, this security message is misleading, and may lead to some users becoming confused and inadvertently weakening their security practices. It is also possible that there could be a bug here, causing the message to not be shown to users who have SMS-based authentication enabled. |
Beta Was this translation helpful? Give feedback.
Replies: 12 comments 28 replies
-
This message is really pissing me off. I should not have to constantly see a misleading warning about not having enough 2FA methods. I have ONE and I only want ONE. I do NOT want there to ever be ANY other method that a hacker can use to bypass my 2FA. there is ZERO chance that I will lose access to my authenticator keys. and if I did I'd also have to have permanently lost access to my bitwarden password manager which at that point, GitHub is the least of my worries for the things that I will never be able to access again. GitHub: Don't tell me I need to lessen my security. I chose a method, and only that method, fully aware of the implications involved if I were to ever be stupid enough to lose those values. |
Beta Was this translation helpful? Give feedback.
-
Hi @cosmic-linden , Yes, the warning statement can be misleading because it actually refers that you should have more than one 2FA method enabled and avoid SMS authentication. The warning goes away if you add another 2FA method (even SMS), I've tested it yesterday. See this discussion #129189 |
Beta Was this translation helpful? Give feedback.
-
Three-factor authentication? It is getting ridiculous. Surely this must be a bug in the notification system, given two-factor authentication is already enabled by usage of Authenticator app (and not SMS) . |
Beta Was this translation helpful? Give feedback.
-
So what do I need to do? |
Beta Was this translation helpful? Give feedback.
-
This message shows more often on github to people who have 2FA already set up than the Jimmy Wales donate message on Wikipedia. That says a lot. |
Beta Was this translation helpful? Give feedback.
-
How can I remove this warning, permanently? It's junk. I use an auth app, I am not configuring SMS, and the other two options aren't viable for a sane person. So I have my backup codes as the second. This warning should not be shown and is irresponsible to show it. |
Beta Was this translation helpful? Give feedback.
-
Fido key |
Beta Was this translation helpful? Give feedback.
-
I love that it says "permanent account lockout" without any deadline and says "reduce your risk" as if MS is going to roll a dice to decide which dev is going to be locked out for no reason. |
Beta Was this translation helpful? Give feedback.
-
Thanks for all your feedback folks and apologies for the confusion and inconvenience caused. As a quick update to our recently shipped security checkup experience, we have now rolled out a patch to restrict the new security check banners from being shown to users who already have a more secure 2FA method configured - Eg: Users who have configured an authenticator app. Which would mean that starting today, we would only prompt the users who have configured SMS as their only 2FA method to review and update their settings, since they need to have more than one 2FA method with a more secure option like an authenticator App. We hope that this change would help us influence more developers who contribute code on GitHub.com to enable one or more forms of secure two-factor authentication (2FA). |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Here’s how you can guide them without a formal greeting: Steps to Resolve the Erroneous MFA Warning:
Following these steps should help you figure out if the warning is a bug or just a display issue. If needed, reporting it directly to GitHub should lead to a resolution. |
Beta Was this translation helpful? Give feedback.
Thanks for all your feedback folks and apologies for the confusion and inconvenience caused.
As a quick update to our recently shipped security checkup experience, we have now rolled out a patch to restrict the new security check banners from being shown to users who already have a more secure 2FA method configured - Eg: Users who have configured an authenticator app.
Which would mean that starting today, we would only prompt the users who have configured SMS as their only 2FA method to review and update their settings, since they need to have more than one 2FA method with a more secure option like an authenticator App.
We hope that this change would help us influence more developers who …