For the ones who are worried about losing all credentials for their GitHub account, here are some official answers from GitHub support.
---------- Forwarded message ---------- From: Michael (GitHub Staff) firstname.lastname@example.org Date: 2017-12-12 11:05 GMT+01:00 Subject: Re: What happens if I loose my password, 2FA key and recovery key To: Victor Stinner email@example.com
Thanks for getting in touch.
To address your questions:
The question is what happens if you loose your password, your 2FA key and your recovery key... Ok, it's unlikely, but it's a real question.
If you were to lose access to all of your 2FA credentials, I'm afraid we wouldn't be able to disable 2FA for you, for security reasons. For this reason, we recommend setting up one or more fallbacks.
One way of safeguarding recovery keys is storing them in an encrypted password manager like 1Password or LastPass, which often have cloud backup capabilities.
The second question is if the email account comes into the play as the last attempt to recover access to the GitHub account.
The email and password associated with an account provide one factor of authentication. If 2FA is enabled, a second factor is required. In the case of someone losing access to all 2FA credentials, but still having access to the email associated with an account, we aren't able to disable 2FA, but can release the email address from the account. This would then allow the user to register the email address to a new account. Additionally, any contributions associated with that email address would follow along to the new account.
At present, we have a range of fallbacks, which I'll list below. It's a good idea to use more than one, while also being mindful of not creating too much exposure.
*Download your recovery codes.* This is far and away the best way to make sure you don't get locked out of your account. If you ever disable and then re-enable 2FA, be sure to download the new codes we generate as the old ones will no longer work.
*Set a fallback number.* As long as your phone wasn't lost, you'll be able to regain access to your account in the amount of time it takes to receive an SMS.
*Add a security key.* Phone got stolen *and* you lost your recovery codes? Today is turning into a rough day, but you'll still have access to your account if you have a FIDO U2F security key added to your account.
*Store a recovery token* If you use Facebook, you're now able to store a 2FA recovery token with your account. Here's how: https://help.github.com/articles/generating-and-storing-an-account-recovery- token
*Set up an SSH key* We’re sometimes able to recover an otherwise locked out account if there’s an SSH key set up. You can add one by heading to: https://help.github.com/articles/adding-a-new-ssh-key- to-your-github-account/
Let me know if you have any questions or if there's anything else we can help with!