As part of our ongoing efforts to secure Alphabet's source code, on June 30th 2025, we will require all users accessing Alphabet-owned GitHub Organizations use only secure 2FA methods.

✅ Secure methods include:

• Authenticator Apps (TOTP)
• Passkeys
• Security Keys
• GitHub Mobile App (acting as 2fa)

❌ Insecure methods include:

• SMS

Users will receive an email from GitHub notifying them of this change. Users will be immediately locked out from accessing organization resources and will be prompted to set up a secure method or remove insecure methods. Once this is complete, access is immediately restored.

NOTE

This will also impact external collaborators and non-Googler members of Alphabet-owned Organizations. {: .block-tip }

We strongly recommend reviewing your 2FA methods ahead of this change to ensure that:

1. You have at least one secure method
2. Remove SMS as a 2FA method

NOTE

You must add an Authenticator App prior to GitHub permitting the removal of an SMS based authentication method {: .block-tip }

1. Shortly after sending this email, there will be a butter bar added to notify users of the changes in GitHub
2. We will send reminder emails notifying users of this change (2 and 1 week prior to enforcement)
3. We will begin a phased roll out on June 30th, 2025 to gather initial feedback
4. Pending the success of 3, we’ll aim to rollout to all Organizations by July 14th, 2025