Have you forgotten your GitHub security key, and are now unable to log in? We know that is scary, especially if you have many ongoing projects or have contributed to other users’ repos. After all, GitHub is a well-known website hosting service that serves as a free or paid repository for creating, managing, tracking, and monitoring changes to the software. Luckily, due to the high demand for security and protection against human error and fleeting memory, there are other ways to access your account. Even better for you, we already explained them in the past. However, we will first show you how to recover, or rather, remember a GitHub security key.
Step 1. Examine all possible methods to recover your GitHub security key
We want to remind you that a security key is a secondary protection against unauthorized access to the GitHub account. Therefore, to set it up, you must have configured two-factor authentication (2FA) in the past. We will go over that part in a moment. For now, we need to figure out if there are any security keys you may use. They are all based on a technology called WebAuthn implemented into browsers, which is a successor to U2F (Universal 2nd Factor). Over time, the platform added several security key procedures, and some are even physical. Therefore, you may have forgotten them. Here are the supported options to configure a security key in GitHub:
- Physical security key — It works over USB (similar to a flash drive) or NFC (near-field communication). The latter is a small device that connects to an NFC reader to extract a security key and transfer it in encrypted form via SSH (Secure Shell)
- Facial recognition — Use your camera (usually front camera on mobile devices) to scan your face, commonly via infrared technology that creates a 3D image
- Fingerprint — Use a third-party fingerprint scanner or one built into your mobile device, either on the back, below the camera, or under the screen
- Password or a PIN — Available on some browsers, employs the PIN (Personal Identification Number) or password of your device or the independent one you set up
With all this said, whenever you forget your password while trying to log in to GitHub, you can tap or click Having problems?, and you’ll be offered multiple options:
- Use your security key
- Enter a two-factor code from your phone
- Enter a recovery code
Choose the third option and see which option is configured based on what GitHub offers. If you’re on your mobile phone, it’s all but guaranteed that PIN, password, fingerprints, or facial recognition are available. Some are unique to the device owner (“biometrics”) and saved in the device. Additionally, those can be used alongside the unlocking pattern to bypass PIN or password and change them.
Step 2. Restore access to GitHub account using other methods
As you can see below, a security key is merely a way to strengthen your account security. Even if you forget the key, you can still recover your GitHub account via other authentication procedures without ever using it. That guide contains detailed instructions, so repeating them is redundant. Instead, we’ll briefly go over the explained methods of GitHub account authentication, then add two more:
- TOTP (time-based one-time password) mobile applications — You can receive a temporary password to smart device applications such as Microsoft Authentication, LastPass Authentication, 1Password, and Authy
- SMS to a fallback device — This method uses a mobile phone or tablet where you can read a code sent via a text message and enter it on the screen. It isn’t supported in all countries
- Recovery codes — After setting up 2FA, GitHub will ask you to download a set of various recovery codes you can use to access the account
- Using a verified device, PAT (personal access token), or SSH token — Last resort method that relies on GitHub Support’s ability to piece information together. They will analyze the device you use to send a request, then compare it to your account access history to validate ownership
- GitHub Mobile — The process we haven’t mentioned was added afterward. If you have a GitHub Mobile app, you can select Authenticate with GitHub Mobile, and you’ll get a push notification to approve the sign-in in the browser without entering credentials
- Using command line — Another procedure we skipped is another late addition, a software called Git Credential Manager. It uses an SSH token, HTTPS, or personal access token and skips waiting for Customer Support
Step 3. Create a new security key for a GitHub account
If you are the legitimate owner of the GitHub account, one of the options we mentioned must have worked. Now that you bypassed the need for a security key, you can remove old ones and configure new keys. Follow these instructions to set up a new GitHub security key and recover future account access:
- Double-check that your web browser is updated and supports WebAuthn.
- Access the GitHub website from a device with support for the method you plan to use. If you’re using a physical key such as YubiKey (merely a well-known example), plug it into the USB port or connect an NFC device.
- Sign in using any methods we mentioned in step 2.
- In the top right corner of the dashboard, click the account icon or your profile picture.
- From the drop-down menu, select Settings.
- Go to the “Access” part of the sidebar.
- Select Password and authentication.
- Find “Security keys” and click on Add. Note the type of security key already added to the account to the left of the button.
- Choose to delete a security key, change it, or register a new security key.
- Follow the on-screen instructions to input the necessary biometric information, type the credentials, or activate your physical security key.
- Add a nickname for the type of key, then click on Add.
- Optional. Configure all available key-related methods to give yourself wiggle room if the primary one becomes unviable.