Since I forget this at regular intervals, here are notes on managing credentials for multiple github accounts, and on securing those accounts with two-factor authentication (2FA) and personal access tokens.
If you have multiple github accounts, e.g., for work on multiple client projects, you need to take care when configuring the origin URLs. When using https origin URLs, be sure to embed the desired github username in the remote:
For local repositories that have already been cloned, you may need to update the repository upstream URL. Although this can be done with
git remote set-url, I usually use multiple steps.
$ git remote -v origin https://github.com/your_username/your_repo.git (fetch) origin https://github.com/your_username/your_repo.git (push) $ git remote remove origin $ git remote add origin https://firstname.lastname@example.org/your_username/your_repo.git
git remote remove will also remove the upstream (tracking) reference for that remote, so the next time you push you'll need to use the
--set-upstream option. Or perhaps you can just do something like
$ git branch --set-upstream-to=origin/master master
Github 2FA Credentials
Suppose you enable 2FA for one of your github accounts. (Let's call it
ghaaaa1.) When performing operations like
git push, you'll need to authenticate using a personal access token instead of your password.
Clear cached credentials
You'll also need to clear the credentials that git has cached for you, for existing github projects belonging to
I'm using macOS and the credential-osxkeychain credential helper. [TODO document how to configure git to use this helper.] credential-osxkeychain caches credentials in your keychain. To clear the cached credentials for your 2FA account, follow these instructions.
Create a personal access token
As noted, once 2FA is configured you no longer use your github account password to authenticate. Instead, create a personal access token. After saving the token in a secure note, invoke
git push origin master. When prompted for a password, paste or type in your personal access token.
Try another push
Stack Overflow suggests that, after setting up 2FA for an account, it may be necessary to remove and restore your remote URLs for that account, if your repo has been using an https URL. I think this is not really necessary. Simply doing a
git push after clearing the keychain entry should have been enough to make git prompt me for a password, for which I used my personal access token.