Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
What part(s) of the article would you like to see updated?
The text that mentions SMS should be relegated to something approximating a footnote:
For GitHub, the second form of authentication is a code that's generated by an application on your mobile device or sent as a text message (SMS). After you enable 2FA, GitHub generates an authentication code any time someone attempts to sign into your account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.
Optionally, you can add a passkey to your account. Passkeys are similar to security keys and satisfy both password and 2FA requirements, allowing you to sign in with a single step. However, to reduce the risk of account lockouts, you should also configure a fallback 2FA method, such as a TOTP mobile app or SMS-based authentication. If you have already set up a security key for 2FA that is passkey-eligible, you may be prompted to upgrade it to a passkey during registration. See About passkeys.
Add a section that talks about:
/organizations/:org/settings/security
Only allow secure two-factor methods
Users can only use secure two-factor methods: authenticator apps, passkeys, security keys, and the GitHub mobile app. Learn more about two-factor authentication.
Additional information
The setting for Only allow secure two-factor methods is pretty new and the way it behaves is incredibly surprising. I've spoken to a couple of people and so far everyone has been surprised at the process to enable it and the docs are just this page which doesn't help.
Ideally that view would warn "hey, you observer, your account has SMS enabled, you should go to https://github.com/settings/security and remove it", and ideally it would give an admin a hint about how many accounts would be impacted by this setting (there's a difference between 0, 1-5, and 1000)