Erroneous GitHub warning messages about Multi-Factor Authentication

[cosmic-linden]

Select Topic Area

Bug

Body

GitHub has begun showing me a yellow warning message which says:

Please configure another 2FA method to reduce your risk of permanent account lockout. We strongly recommend against SMS as it is prone to fraud and delivery may be unreliable depending on your region.

In addition, I see the following warning message in the Password and authentication tab:

Please configure another 2FA method to reduce your risk of permanent account lockout. We strongly recommend against SMS as it is prone to fraud and delivery may be unreliable depending on your region.

Contrary to the above messages, I do not have SMS-based authentication enabled for my account, let alone as the sole second-factor authentication method. First, SMS-based authentication is disabled. Second, I have code-based MFA enabled, which is a widely-supported open standard, as well as the security codes provided by GitHub.

Taken together, this security message is misleading, and may lead to some users becoming confused and inadvertently weakening their security practices. It is also possible that there could be a bug here, causing the message to not be shown to users who have SMS-based authentication enabled.

[SampsonCrowley]

This message is really pissing me off. I should not have to constantly see a misleading warning about not having enough 2FA methods. I have ONE and I only want ONE. I do NOT want there to ever be ANY other method that a hacker can use to bypass my 2FA. there is ZERO chance that I will lose access to my authenticator keys. and if I did I'd also have to have permanently lost access to my bitwarden password manager which at that point, GitHub is the least of my worries for the things that I will never be able to access again.

GitHub: Don't tell me I need to lessen my security. I chose a method, and only that method, fully aware of the implications involved if I were to ever be stupid enough to lose those values.

[SampsonCrowley]

At least make the message go away forever when I dismiss it...

[davevad93]

Hi @cosmic-linden ,

Yes, the warning statement can be misleading because it actually refers that you should have more than one 2FA method enabled and avoid SMS authentication. The warning goes away if you add another 2FA method (even SMS), I've tested it yesterday.

See this discussion #129189

[poshcodebear]

But this makes no sense if I've configured recovery codes already, which is in effect an additional (one-time-use, break-glass) 2FA method keeping me from getting locked out of my account

[prahladyeri]

@poshcodebear The recovery codes don't count as "Preferred 2FA method" which you must set in the settings.
They basically want you to use an Authenticator app such as Google Authenticator or Twilio Authy to generate a TOTP. The SMS way is becoming obsolete and less trusted it seems.

[mark-henry01]

Three-factor authentication? It is getting ridiculous.

Surely this must be a bug in the notification system, given two-factor authentication is already enabled by usage of Authenticator app (and not SMS) .

[prahladyeri]

If you already use an Authenticator app, try to set it as "Preferred 2FA method" in your settings, that might help.

[Bob837217]

I get this message as well. Annoys the hell out of me. I see in my settings that there are two "Add" buttons present. One for SMS (ooh SMS bad though) and one for "Github Mobile". Is this a subtle way of steering users into adding "Github Mobile"? Because I don't want to do that. And as others have stated - their existing configurations and downloaded break glass codes will ensure no lockout event happens. Is this the obligatory "enshitification phase" of Github, post MS buyout?

[deloz]

So what do I need to do?

[Bob837217]

Nothing at all. Looks like a "scare-o-gram" to get you to sign up additionally to GitHub Mobile. Just ignore it.