Unable to disable SMS 2FA via the web interface

[stephengold]

Select Topic Area

Bug

Body

A project I'm in decided to require secure 2FA. My account already had 2FA configured and enabled, but only the SMS/Text message option, which is considered insecure. So I added GitHub Mobile 2FA to my account, giving me two 2FA options (SMS and Mobile). I made GitHub Mobile my preferred option.

When the project's secure 2FA requirement went into effect, I lost write access to the project because my account still had an insecure 2FA option. Other project members report a "..." button in the "SMS/Text message" section of the https://github.com/settings/security webpage. That button reportedly opens a popup menu with "Edit" and "Disable" items.

I want to disable my account's SMS 2FA, but where others see a "..." button, I see an "Edit" button with no "Disable" control:

I've read the web documentation including Changing your 2FA. At the top of the page, it clearly states, "You can change your two-factor authentication (2FA) method without disabling 2FA entirely. You can reconfigure your two-factor authentication (2FA) settings or add new 2FA methods without disabling 2FA entirely, allowing you to keep both your recovery codes and your membership in organizations that require 2FA." However, it doesn't provide step-by-step instructions to disable or remove an existing method.

Copilot is vague and unhelpful. It says to locate the SMS/Text message method and click Remove. But I don't find a "Remove" control anywhere on the relevant webpage. (See the screenshot above.)

I've tried various expedients, but I've been unsuccessful at removing/disabling the SMS 2FA method from my account. I tried two different browsers: Firefox and MS Edge. I tried clicking on the "Edit" button. I tried changing my preferred 2FA method and then changing it back to GitHub Mobile.

I suspect my GitHub account is in some weird state such that SMS 2FA is enabled but the web interface doesn't allow me to disable it. I suspect this is symptomatic of a bug in either GitHub's web interface or its back end.

I tried to open a GitHub Support ticket, but Support's virtual assistant simply diverted me back to the documentation on the website. I don't know any other official channel for obtaining support.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[stephengold]

This bug has a security impact: it's preventing me from fully securing my account, which means the projects I belong to can't require secure 2FA without cutting me out.

Is there any way I can escalate this issue?

[DanielCliftonGuardian]

I encountered this. I needed to add another form of 2fa in addition to what I already had i.e authenticator. Then it offers you the option to disable.

[stephengold]

Thanks for your reply. I'm glad you found a solution that worked for you.

As it says at the top of this discussion, "I added GitHub Mobile 2FA to my account, giving me two 2FA options (SMS and Mobile)."

Are you implying GitHub mobile doesn't count as another form of 2FA?

I'm still stuck, and I still think there's a bug here.

[danielschemmel]

For me, this issue required enabling the TOTP-based "Authenticator app" setting. All other options (github mobile, security keys, passkeys) did not suffice to disable SMS-based 2FA.

[stephengold]

Thanks for that perspective, Daniel.

Just to be clear: I'm still stuck, and I still think there's a bug here.

[DanielCliftonGuardian]

To be clear I needed to have three forms before I could disable the one. This is what worked for me.

[stephengold]

@zzuegg has reported a similar issue with the GitHub web interface.

[benjaminbalazs]

This issue is still present. Kind of ridiculous.