Two ways to audit your GitHub Organizations for Two-Factor Authentication usage

On a call with a client, one of the Tech Leads implored everyone to make sure they had Two-Factor Authentication (2FA) set on their GitHub accounts.

The request got me a bit philosophical: I theorize that GitHub, as a platform, has more people using “personal accounts” in a “professional context” than many other platforms. In other words, while almost everyone has a “work email”, I think it is may somewhat common for GitHub users to just have one account that they use for all repos - work and personal (community / hobby).

This creates a scenario where there may be less and/or more relaxed administrative oversight. Policy is helpful, but verification is necessary.

The new GitHub Business plan may help this for some enterprises, with its introduction of SAML/Single Sign On - but that isn’t for everyone, so…

There are two ways to audit the use of 2FA on GitHub: Through the UI, and through the API (as it should be!)

Verifying 2FA usage by GitHub Organization Members using the UI

This is pretty simple. Navigate to any Organization you’re an Owner of, then click the People tab. There will be a dropdown menu labelled 2FA - select Disabled to see who in the Organization isn’t using 2FA.

Verifying 2FA usage by GitHub Organization Members using the API

Also, pretty simple, but it does require you to have a personal API token. After you’ve generated a token, you run:

curl -H "Authorization: token [yours]" "[orgname]/members?filter=2fa_disabled"

You’ll then get back a nice JSON response that shows who does not have 2FA enabled:

    "login": "username",
    "id": 1234567,
    "avatar_url": "",
    "gravatar_id": "",
    "url": "",
    "html_url": "",
    "followers_url": "",
    "following_url": "{/other_user}",
    "gists_url": "{/gist_id}",
    "starred_url": "{/owner}{/repo}",
    "subscriptions_url": "",
    "organizations_url": "",
    "repos_url": "",
    "events_url": "{/privacy}",
    "received_events_url": "",
    "type": "User",
    "site_admin": false

The advantage of this method is that you can script the audits to run at a regular interval. (Maybe even pipe the output to Slack…) For organizations that use contractors, have “turnover” in their GitHub Orgs, or are enterprises that allow users to use “personal” GitHub accounts on their Organizations, this could be a useful approach to keeping up good 2FA hygene.

Not getting compliance? Kick ‘em out!

GitHub also had a feature, that enables an Organziation owner to remove everyone from an Organization who isn’t using 2FA. While that might be a bit extreme, if it’s something that’s important to you and after several prompts people aren’t complying, it might be a useful option.

Questions or feedback on this article can be sent to or entered in the Issues for the GitHub repo. If you need help with your API Program, that’s what we do at APIvista.

If you :heart: this article, give it a Like, Retweet or Reply!