How to remove authenticator app

[jheidbrink]

I configured a TOTP authenticator app. Later i also configured a security key which was automatically selected as the preferred 2FA method. Now i want to remove the TOTP authenticator so that it no longer shows up as configured, and so that I cannot accidentally select it as preferred method. I want to remove the corresponding secret from my app then. However in the Web GUI I don't find an option to remove the configured authenticator app.

[iamreiyn]

Hello, @jheidbrink

Unfortunately, as of now, there is no way to remove TOTP (Authenticator app) directly. However, you can remove it by signing up for the 2FA again using the SMS/Text message method.

So, you must either have the Authenticator app or SMS/Text method configured. This way you can reconfigure to make your security key as the preferred method and also have the Authenticator app removed.

And in order to do that:

1. Open your GitHub Settings

2. Navigate to Password and authentication

3. Click on the Enabled button next to "Two factor authentication" (it will disable 2FA)

After it is disabled, you can enable it again using the SMS/text option and then reconfigure your Security Key and make it preferred.

Thank you!

[lorisleiva]

Unfortunately, this workaround no longer works for some users as we cannot disable 2FA in order to reconfigure it.

[jheidbrink]

Thank you @montymahato

I consider 2FA via SMS less secure than via Yubikey. So instead of the above, I now configured my Yubikey to not only act as security key, but also as TOTP generator. Thus I have effectively limited 2FA to Yubikey only.

[iamreiyn]

Anytime, glad to know that you were able to work your way around it!

[FlameDuck]

Of course 2FA sent unecrypted over the air using a protocol hacked together by GSM in the 1980's is less secure than an encrypted purpose built hardware device from 2018. Anyone who thinks differently is simply wrong.

[DNin01]

I consider 2FA via SMS less secure than via Yubikey. So instead of the above, I now configured my Yubikey to not only act as security key, but also as TOTP generator. Thus I have effectively limited 2FA to Yubikey only.

That's cool that you found a workaround.

GitHub did say in a blog post that they were working on making it possible to use security keys as the primary second factor, so if I'm right, this option will be available soon.

In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

[tianhuil]

Agree with @jheidbrink. But because I use to use the authenticator app prior to getting Yubi keys, it's now stuck there and I can't remove it. The only workaround is "editing" the authenticator app password, confirming, and then immediately deleting the key from my phone.

I wish they would just let me delete it.

[n1ngu]

I was planning on doing exactly this.

But even if I have multiple FIDO keys and backed-up recovery codes, I fear I am bricking the main MFA TOTP method. Plus the attack surface on that method remains open.

[dr-yd]

DO NOT DO THIS! Github now forces you to reauthenticate using TOTP 2FA every week even if you have a Yubikey! Completely backasswards, no idea who thought that was a good idea...

[n1ngu]

If that is true, this may be my final words with this account until I am asked a TOTP token 🖖

[n1ngu]

Let's see if I can find that recovery codes backup... 🥲

[l4kr]

I have 4 damn keys I don't need a damn TOTP. Plz gib option to remove it. @microsoft

[pickyusernamepicker]

While we're at it, 2FA settings in Microsoft accounts are a much worse mess...

[stevensmedia]

This is inherently insecure that the user is forced to open up authentication methods that aren't being used. Fix the hole, Microsoft.

[n1ngu]

Indeed FIDO keys are secure enough. Additional MFA methods only increase the attack surface on accounts.

[mikaellq]

It seems rather meaningless to use security keys if authenticator app can’t be removed.
Then the account is no more secure than with authenticator app only. 👎

[stevensmedia]

It's worse now. It demands you give an authenticator code EVEN IF YOU DON'T HAVE AN AUTHENTICATOR.

I have disabled TFA and will not be re-enabling it until this is fixed. I have a support ticket in insisting this be fixed.

I recommend project maintainers prepare to move active development OFF of github, so anyone using the github version is at risk of using older, insecure versions of software until this is fixed.

[wwangsa]

Prior to setting up Yubi Key and authenticator app, I used Github Mobile. Now, I can't remove the authenticator app. I'm able to login with the authenticator app but when I go to settings > password and authentication > authenticator app > "Verify the code from the app" , I get "Two-factor code verification failed. Please try again.". It looks like it doesn't recognize the authenticator app but I still can use it at login...

[horror-proton]

I think that "Verify the code from the app" is only used to check if a new authenticator app is properly configured via the QR code above, not existing ones.

[pmalek]

I don't understand why we're not able to remove a particular method of 2FA given that we still have other methods set up. 🤔

[lltr]

I am also wondering why the option to remove the Authenticator app is not available once Security keys are configured. The Authenticator app is not phishing resistant. It is counter intuitive to me for 2FA to have another surface open and I consider this to be less secure. I hope the option to remove the Authenticator app will be available soon.

[pickyusernamepicker]

The option to disable the recovery codes would be sensible too. Google's already added it.

[jsanadev]

You can disable 2FA using your password.

[jsanadev]

i just did it, i disabled 2FA to reconfigure authenticator app, it just prompt you requesting authenticator code but under it, it shows you "disable using your password"

[l4kr]

We are not talking about disabling 2FA. We are talking about disabling TOTP when we have passkeys set up.

[jsanadev]

I just followed the title from post, How to remove authenticator app, apologies if i was wrong, i was trying to help with that use case

[kr]

It's a reasonable misunderstanding, the phrasing is arguably ambiguous. In this context, "authenticator app" means TOTP specifically, it doesn't refer to other forms of 2FA.

It would probably be clearer for a lot of people if the title could be changed to explicitly say TOTP somewhere.

[tasmo]

Not anymore. Github enforced to use Two-Factor for many accounts.

[wrinkledeth]

It's 2024 now, looks like there is still no option to disable the "Authenticator App" option if you have security keys setup:

Any plans of getting this fixed?

[fengyi233]

Please check here.

[pickyusernamepicker]

@fengyi233 That option disables all 2FA, including hardware keys. This thread is about keeping hardware keys enabled & disabling only the app (TOTP apps offer less security than hardware keys).

[tasmo]

This is not possible anymore. Two-factor authentication is enforced on most accounts.

[knan]

With multiple hardware keys setup, totp app is superfluous and a hindrance. Please let us remove it.

[stanleyguevara]

I just managed to remove it.

Just set up a SMS/Text message method, authenticate with it and then you can disable Authenticator app option.

I had to do it because of Raivo iOS app getting acquired and losing everybody's keys on first update. Do not recommend. Lucky I had my recovery codes.

[wrinkledeth]

Were you able to disable SMS auth method afterwards?

[stanleyguevara]

Yes. But only after setting up a new OTP authenticator app.
Looks like it requires backup codes to be set up + 2 independent 2FA methods.

[ghostinhershell]

Hey there everyone 👋🏾

Just wanted to circle back here and give an updated answer to this question since I think it's still a popular question in this community.

I'm afraid that it is not possible to remove a TOTP application from an account enabled for 2FA. GitHub requires that a primary factor - either TOTP or SMS - be active for all accounts and so the only option is to replace one with another. Any additional access factors can be setup (or removed) at your discretion and can be used for day-to-day access; however the primary factor must remain active at all times. You can learn more here: Two Factor Authentication Frequently Asked Questions 🔑 🗝️.

Apologies that we cannot accommodate your request at this time though I will pass on your comments to our authentication team. I can't promise any changes will be made but we will consider all feedback as we iterate on this, and future security-related features. If there's anything additional you might like to add though, or if I can help with anything else, then please do let me know.

[n1ngu]

Thanks for the update!

Could you please clarify what are the consequences of loosing this "primary factor" as long as "additional access factors" are operative? E.g. could you shed some light on this thread https://github.com/orgs/community/discussions/54699#discussioncomment-6015764

Also, when reaching the authentication team, please bring to their attention that excessive access factors only increase the attack surface on github accounts https://github.com/orgs/community/discussions/54699#discussioncomment-6824929

[ngist]

It's strange that TOTP would be a required Auth factor, when HW security keys using FIDO2/webauthn should be inherently more secure and at least as available as TOTP.

I just setup redundant HW security keys on my account, and was surprised to find TOTP can't be removed.

TOTP is readily phishable, and once in the account an attacker can just add more auth factors so it's not supplying added security, and opens up a phishing attack vulnerability that other auth methods don't have. You could say well just don't use TOTP if you don't want to, but a user could still be tricked into thinking they need to supply a TOTP code since if it can't be removed it must be needed for something right? I could just delete the TOTP form my auth app, but I'm not going to because if I can't eliminate it from githubs side, I might need it one day.

[torburg]

Hi there!

I'd like to share my experience with GitHub's two-factor authentication options. Currently, I've set up GitHub Mobile as my primary 2FA method, as it's listed as the recommended option on the site.

However, I've noticed something puzzling - even though GitHub Mobile is configured as my primary 2FA method, the system still asks me for an authentication code from an authenticator app when I log in.

I've been trying to use 1Password (an older version) as my authenticator app, but the codes it generates aren't working for GitHub. I've even tried re-linking my account in the app, but that didn't solve the issue.

It would be really helpful if GitHub could make their own mobile app authentication work seamlessly as the primary method when selected. This would eliminate the need for users to download and configure additional authentication apps for the same purpose.

Would it be possible to improve this experience so that when users select GitHub Mobile as their primary 2FA method, the system respects that choice?

Thanks for considering this feedback!

[AVargas-84]

I'm having the same isssue with the primary 2FA method. I first configured an authenticator app, but then switched phones and started using github app. Now it always asks for the authenticator app, even though i have the prefered method selected for the github app. I don't have the authenticator app anymore, and I prefer to use the github app instead of some third party authenticator. It would be a great solution to be able to deactivate one and select the other. Thanks.

[happymoodhub]

• Login and go to your 2FA/security settings
• Temporarily disable all 2FA methods
• Re-enable only your security key (leave TOTP unconfigured)
• Now the TOTP entry won’t show up again
• if problem not solved, download an authenticator app from trusted platform

[escape0707]

If you've read posts in this thread:

Upon your suggested second step, a notice saying:

"Because of your contributions on GitHub, two-factor authentication is required for your account. Thank you for helping keep the ecosystem safe! Learn more about our two-factor authentication initiative."

will show at the 2FA section of the settings page, and you can't just disable 2FA for that GitHub account. That's why many people are complaining here in the first place.

[azu]

A part of the MFA improvements, I realized that the Authenticator app couldn't be erased, so we got here.

Recent phishing attacks have been carried out using TOTP replay attack.
Therefore, I want to disable the Authenticator app itself and just have security keys.

• Specific example of the attack: npm debug and chalk packages compromised (the victim used TOTP as MFA)

npm was able to remove the Authenticator app, so I'm surprised that GitHub can't remove the Authenticator app

[pacaroha]

Today I logged into this account, which is my public work identity for GitHub with my current employer. I have used a YubiKey for various things at this job as long as I had one, and figured I'd set it up for this GitHub account after the deadline forcing everyone to enable 2FA hit.

Except now I've been forced into creating a TOTP key that I don't want or need, and now cannot delete.

It's been years now since we were told that we would "soon" be able to set up a security key as a 2FA method in the initial flow. This is ridiculous.