Github, Multiple Accounts, and 2FA

Since I forget this at regular intervals, here are notes on managing credentials for multiple github accounts, and on securing those accounts with two-factor authentication (2FA) and personal access tokens.

Github Credentials

If you have multiple github accounts, e.g., for work on multiple client projects, you need to take care when configuring the origin URLs. When using https origin URLs, be sure to embed the desired github username in the remote:

https://your_username@github.com/your_username/your_repo.git

For local repositories that have already been cloned, you may need to update the repository upstream URL. Although this can be done with git remote set-url, I usually use multiple steps.

    $ git remote -v
    origin  https://github.com/your_username/your_repo.git (fetch)
    origin  https://github.com/your_username/your_repo.git (push)
    $ git remote remove origin
    $ git remote add origin https://your_username@github.com/your_username/your_repo.git

git remote remove will also remove the upstream (tracking) reference for that remote, so the next time you push you'll need to use the --set-upstream option. Or perhaps you can just do something like

$ git branch --set-upstream-to=origin/master master

Github 2FA Credentials

Suppose you enable 2FA for one of your github accounts. (Let's call it ghaaaa1.) When performing operations like git push, you'll need to authenticate using a personal access token instead of your password.

Clear cached credentials

You'll also need to clear the credentials that git has cached for you, for existing github projects belonging to ghaaaa1.

I'm using macOS and the credential-osxkeychain credential helper. [TODO document how to configure git to use this helper.] credential-osxkeychain caches credentials in your keychain. To clear the cached credentials for your 2FA account, follow these instructions.

Create a personal access token

As noted, once 2FA is configured you no longer use your github account password to authenticate. Instead, create a personal access token. After saving the token in a secure note, invoke git push origin master. When prompted for a password, paste or type in your personal access token.

Try another push

Stack Overflow suggests that, after setting up 2FA for an account, it may be necessary to remove and restore your remote URLs for that account, if your repo has been using an https URL. I think this is not really necessary. Simply doing a git push after clearing the keychain entry should have been enough to make git prompt me for a password, for which I used my personal access token.

More Info