[python-committers] Fwd: What happens if I loose my password, 2FA key and recovery key

Victor Stinner victor.stinner at gmail.com
Tue Dec 12 07:50:01 EST 2017

For the ones who are worried about losing all credentials for their GitHub
account, here are some official answers from GitHub support.


---------- Forwarded message ----------
From: Michael (GitHub Staff) <support at github.com>
Date: 2017-12-12 11:05 GMT+01:00
Subject: Re: What happens if I loose my password, 2FA key and recovery key
To: Victor Stinner <victor.stinner at gmail.com>

Hi Victor,

Thanks for getting in touch.

To address your questions:

The question is what happens if you loose your password, your 2FA key and
your recovery key... Ok, it's unlikely, but it's a real question.

If you were to lose access to all of your 2FA credentials, I'm afraid we
wouldn't be able to disable 2FA for you, for security reasons. For this
reason, we recommend setting up one or more fallbacks.

One way of safeguarding recovery keys is storing them in an encrypted
password manager like 1Password or LastPass, which often have cloud backup

The second question is if the email account comes into the play as the last
attempt to recover access to the GitHub account.

The email and password associated with an account provide one factor of
authentication. If 2FA is enabled, a second factor is required. In the case
of someone losing access to all 2FA credentials, but still having access to
the email associated with an account, we aren't able to disable 2FA, but
can release the email address from the account. This would then allow the
user to register the email address to a new account. Additionally, any
contributions associated with that email address would follow along to the
new account.

At present, we have a range of fallbacks, which I'll list below. It's a
good idea to use more than one, while also being mindful of not creating
too much exposure.

*Download your recovery codes.* This is far and away the best way to make
sure you don't get locked out of your account. If you ever disable and then
re-enable 2FA, be sure to download the new codes we generate as the old
ones will no longer work.


*Set a fallback number.* As long as your phone wasn't lost, you'll be able
to regain access to your account in the amount of time it takes to receive
an SMS.


*Add a security key.* Phone got stolen *and* you lost your recovery codes?
Today is turning into a rough day, but you'll still have access to your
account if you have a FIDO U2F security key added to your account.


*Store a recovery token* If you use Facebook, you're now able to store a
2FA recovery token with your account. Here's how:

*Set up an SSH key* We’re sometimes able to recover an otherwise locked out
account if there’s an SSH key set up. You can add one by heading to:

Let me know if you have any questions or if there's anything else we can
help with!

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20171212/289dfefc/attachment.html>

More information about the python-committers mailing list