Improvement Suggestion: Make the option to remove SMS as a 2FA method more intuitive

[dennisschneider]

Select Topic Area

Product Feedback

Body

I encountered an issue where it was not intuitive to remove SMS as a two-factor authentication (2FA) method, even though I had already set up two other 2FA methods (GitHub Mobile App and a TOTP app). The GitHub Mobile App was already set as my preferred 2FA method, but the option to remove SMS was still not available. Instead, I had to take additional steps to make the removal possible.

Steps I had to take:

1. I ensured that the GitHub Mobile App was already set as my preferred 2FA method under Password and authentication in the settings.
2. Despite this, I had to set up an additional TOTP app as another 2FA method.
3. Only after adding the TOTP app was I able to return to the SMS method, click Edit, and finally see the option to remove it.

Suggestion:

If multiple 2FA methods are already configured, and one is already set as the preferred method, the option to remove a method like SMS should be clearly and directly available without requiring the user to add yet another method. This would improve the user experience and reduce unnecessary steps.

Background:

I am part of an organization that is disabling SMS-based 2FA. Despite having other 2FA methods already set up and a preferred method selected, it was not obvious how to remove SMS as a method. This could be considered a bug or an area for improvement.

[sarahtrefethen]

Bumping this! I felt like I was going crazy.

[DNin01]

If you use two-factor authentication on your account, GitHub currently requires that you use at least either SMS or TOTP authentication. Therefore, you can't disable SMS authentication until you have added a TOTP authenticator app. (That also makes them the only available options when you are first turning on 2FA.)

You can still select a preference for any of the authentication methods you set up, but even if you use security keys or GitHub Mobile for authentication, you must at least have configured either SMS or TOTP authentication methods.

Note that although GitHub Mobile can be used for authentication, it is different than a TOTP app, which is dedicated to enabling authentication without needing to already be signed in to GitHub on your mobile device.

[bamcmanus]

Encountered this and lost a non-trivial amount of time today. Company required 2FA and prevents SMS. I use GH mobile as my preferred method anyways but a little wild that is not considered a first class option and I also need to have an authenticator setup.

[mgambrell]

I think it's possible what's going on here is that GitHub won't let you drop below two 2FA methods. For example, I was able to remove SMS after adding TOTP, but then I would no longer be able to remove TOTP. (If I re-added SMS, I would then be able to remove TOTP).

The UI here should explain this AND ALSO tell you whether you're considered "insecure" (and explain that).

Ironically, the SMS 2FA method "Adds an additional layer of security" (and marks you as insecure).

[cameron-granger]

This post definitely helped me from pulling my hair out! 😆
Had PassKeys and Security keys--the trick was adding a ToTP too. Thanks!

[ogrotten]

Steps I had to take:

Thanks for this. It took me "a while" to realize something wasn't quite right.

[jrhager84]

How the heck do I remove SMS? I don't have the option and I have pretty much every other option enabled as well.

[missjames008]

Thank you for this, I thought I was losing my mind. At least now I know the workaround!

[Radek-Pysny]

Is there any reason why I cannot use just Security key and completely disable SMS, which is being insecure? IMHO, it should be enough to use just Security key as condition to remove/disable SMS authentication. I hope GH product can check this and I assume there is no reasonable answer telling for touching the constraints.

[Saganic]

Bump. Just had to do this because of the organisations I'm involved with. I have passkeys, github mobile app and backup codes enabled for this account and yet can't disable the SMS factor. Very strange that with 3 alternative factors enabled you cannot disable SMS unless totp is configured.

[SergioIldefonsoUpstack]

For what I could see, only with Security keys configured it isn't possible to disable SMS/Text message. It is needed to add another method like and Authenticator app (example: 1Password). Only then, when we press the "Edit" button we can see the Disable option.

[mattlawhon]

Same issue - had all verification methods setup but Authenticator app and I still couldn't remove SMS. This is insanely bad design!

[loisekk]

pasted3:36 AMThe fix is simple: you must have a TOTP authenticator app configured before GitHub will let you remove SMS.
Even if you have Passkeys, Security Keys, GitHub Mobile, and backup codes — none of those count. GitHub requires at least one TOTP app as a baseline 2FA method before SMS can be removed.
Steps to remove SMS:

Go to Settings → Password and authentication
Add a TOTP authenticator app (e.g. Google Authenticator, Authy, 1Password)
Once added, go back to your SMS method → click Edit
You'll now see the Disable option

After removing SMS, you can continue using whichever methods you prefer day-to-day (Passkeys, GitHub Mobile, etc.) — just keep the TOTP app configured in the background.
This is a known UX issue with GitHub's 2FA system and widely considered poor design by the community, but until GitHub changes the requirement, adding a TOTP app is the only workaround.