- Authenticator app (TOTP): six-digit codes from apps like 1Password, Google Authenticator, or Authy.
- Passkeys (WebAuthn): Touch ID, Windows Hello, or a hardware security key. You can register more than one and give each a name.
Set up an authenticator app
From your account settings, start the authenticator setup. You’ll get a QR code to scan (or a secret to paste in manually), then you confirm with the first six-digit code your app shows. Codes rotate every 30 seconds. The same flow over the API:secret, an otpauth_uri you can feed to any authenticator, and a ready-to-render qr_svg. Then activate with a current code:
Add a passkey
Passkey registration happens in the browser, so the dashboard is the natural place: start the flow from your account settings, approve the prompt (Touch ID, Windows Hello, or your security key), and give the passkey a name so you can tell your devices apart later. Unnamed passkeys show up as “Passkey”. You can register multiple passkeys. Each one is listed with its name and the date it was added.Recovery codes
The first time you enroll a factor, Nubo generates 10 one-time recovery codes and shows them to you once. Save them somewhere safe (a password manager is perfect). If you lose your phone and your passkeys, a recovery code is how you get back in. Each code works exactly once. They look likeABCDE-23456, and you can type them with or without the hyphen, in any case.
Need a fresh set? Regenerate at any time (this replaces all existing codes):
What sign-in looks like
With a second factor enabled, sign-in becomes a two-step flow:- You sign in with GitHub as usual.
- Instead of landing in the dashboard, you’re asked for your second factor: a passkey tap, a six-digit code, or a recovery code.
Personal access tokens are not affected. The second factor gates interactive sign-in; existing tokens keep working, so your CI and scripts won’t break when you turn this on. See API authentication.
Check your status
enabled is true when at least one factor is set up. recovery_codes_remaining tells you how many unused recovery codes you have left; if it’s getting low, regenerate.
Disable a factor
Remove the authenticator app:Related
API authentication
Personal access tokens for scripts and CI
Environment variables
Keep secrets out of your code
