How to remove authenticator app

[jheidbrink]

I configured a TOTP authenticator app. Later i also configured a security key which was automatically selected as the preferred 2FA method. Now i want to remove the TOTP authenticator so that it no longer shows up as configured, and so that I cannot accidentally select it as preferred method. I want to remove the corresponding secret from my app then. However in the Web GUI I don't find an option to remove the configured authenticator app.

[montymwahto]

Hello, @jheidbrink

Unfortunately, as of now, there is no way to remove TOTP (Authenticator app) directly. However, you can remove it by signing up for the 2FA again using the SMS/Text message method.

So, you must either have the Authenticator app or SMS/Text method configured. This way you can reconfigure to make your security key as the preferred method and also have the Authenticator app removed.

And in order to do that:

1. Open your GitHub Settings

2. Navigate to Password and authentication

3. Click on the Enabled button next to "Two factor authentication" (it will disable 2FA)

After it is disabled, you can enable it again using the SMS/text option and then reconfigure your Security Key and make it preferred.

Thank you!

[lorisleiva]

Unfortunately, this workaround no longer works for some users as we cannot disable 2FA in order to reconfigure it.

[jheidbrink]

Thank you @montymahato

I consider 2FA via SMS less secure than via Yubikey. So instead of the above, I now configured my Yubikey to not only act as security key, but also as TOTP generator. Thus I have effectively limited 2FA to Yubikey only.

[montymwahto]

Anytime, glad to know that you were able to work your way around it!

[FlameDuck]

Of course 2FA sent unecrypted over the air using a protocol hacked together by GSM in the 1980's is less secure than an encrypted purpose built hardware device from 2018. Anyone who thinks differently is simply wrong.

[DNin01]

I consider 2FA via SMS less secure than via Yubikey. So instead of the above, I now configured my Yubikey to not only act as security key, but also as TOTP generator. Thus I have effectively limited 2FA to Yubikey only.

That's cool that you found a workaround.

GitHub did say in a blog post that they were working on making it possible to use security keys as the primary second factor, so if I'm right, this option will be available soon.

In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

[tianhuil]

Agree with @jheidbrink. But because I use to use the authenticator app prior to getting Yubi keys, it's now stuck there and I can't remove it. The only workaround is "editing" the authenticator app password, confirming, and then immediately deleting the key from my phone.

I wish they would just let me delete it.

[n1ngu]

I was planning on doing exactly this.

But even if I have multiple FIDO keys and backed-up recovery codes, I fear I am bricking the main MFA TOTP method. Plus the attack surface on that method remains open.

[dr-yd]

DO NOT DO THIS! Github now forces you to reauthenticate using TOTP 2FA every week even if you have a Yubikey! Completely backasswards, no idea who thought that was a good idea...

[n1ngu]

If that is true, this may be my final words with this account until I am asked a TOTP token 🖖

[n1ngu]

Let's see if I can find that recovery codes backup... 🥲

[l4kr]

I have 4 damn keys I don't need a damn TOTP. Plz gib option to remove it. @microsoft

[pickyusernamepicker]

While we're at it, 2FA settings in Microsoft accounts are a much worse mess...

[stevensmedia]

This is inherently insecure that the user is forced to open up authentication methods that aren't being used. Fix the hole, Microsoft.

[n1ngu]

Indeed FIDO keys are secure enough. Additional MFA methods only increase the attack surface on accounts.

[mikaellq]

It seems rather meaningless to use security keys if authenticator app can’t be removed.
Then the account is no more secure than with authenticator app only. 👎

[stevensmedia]

It's worse now. It demands you give an authenticator code EVEN IF YOU DON'T HAVE AN AUTHENTICATOR.

I have disabled TFA and will not be re-enabling it until this is fixed. I have a support ticket in insisting this be fixed.

I recommend project maintainers prepare to move active development OFF of github, so anyone using the github version is at risk of using older, insecure versions of software until this is fixed.

[wwangsa]

Prior to setting up Yubi Key and authenticator app, I used Github Mobile. Now, I can't remove the authenticator app. I'm able to login with the authenticator app but when I go to settings > password and authentication > authenticator app > "Verify the code from the app" , I get "Two-factor code verification failed. Please try again.". It looks like it doesn't recognize the authenticator app but I still can use it at login...

[horror-proton]

I think that "Verify the code from the app" is only used to check if a new authenticator app is properly configured via the QR code above, not existing ones.

[pmalek]

I don't understand why we're not able to remove a particular method of 2FA given that we still have other methods set up. 🤔

[lltr]

I am also wondering why the option to remove the Authenticator app is not available once Security keys are configured. The Authenticator app is not phishing resistant. It is counter intuitive to me for 2FA to have another surface open and I consider this to be less secure. I hope the option to remove the Authenticator app will be available soon.

[pickyusernamepicker]

The option to disable the recovery codes would be sensible too. Google's already added it.

[jsanadev]

You can disable 2FA using your password.

[jsanadev]

i just did it, i disabled 2FA to reconfigure authenticator app, it just prompt you requesting authenticator code but under it, it shows you "disable using your password"

[l4kr]

We are not talking about disabling 2FA. We are talking about disabling TOTP when we have passkeys set up.

[jsanadev]

I just followed the title from post, How to remove authenticator app, apologies if i was wrong, i was trying to help with that use case

[kr]

It's a reasonable misunderstanding, the phrasing is arguably ambiguous. In this context, "authenticator app" means TOTP specifically, it doesn't refer to other forms of 2FA.

It would probably be clearer for a lot of people if the title could be changed to explicitly say TOTP somewhere.

[tasmo]

Not anymore. Github enforced to use Two-Factor for many accounts.

[wrinkledeth]

It's 2024 now, looks like there is still no option to disable the "Authenticator App" option if you have security keys setup:

Any plans of getting this fixed?

[fengyi233]

Please check here.

[pickyusernamepicker]

@fengyi233 That option disables all 2FA, including hardware keys. This thread is about keeping hardware keys enabled & disabling only the app (TOTP apps offer less security than hardware keys).

[tasmo]

This is not possible anymore. Two-factor authentication is enforced on most accounts.

[knan]

With multiple hardware keys setup, totp app is superfluous and a hindrance. Please let us remove it.

[stanleyguevara]

I just managed to remove it.

Just set up a SMS/Text message method, authenticate with it and then you can disable Authenticator app option.

I had to do it because of Raivo iOS app getting acquired and losing everybody's keys on first update. Do not recommend. Lucky I had my recovery codes.

[wrinkledeth]

Were you able to disable SMS auth method afterwards?

[stanleyguevara]

Yes. But only after setting up a new OTP authenticator app.
Looks like it requires backup codes to be set up + 2 independent 2FA methods.