Users appear as "insecure" despite having 2FA enabled

[geneorama]

Select Topic Area

Question

Body

In the People view in Organization I noticed that most users (including me) are listed as "insecure" despite requiring 2FA. I can verify in my account that 2FA is indeed enabled. I also tried switching it to SMS and back to see if that would reset it.

[its-avdhesh]

Hi! 👋 Great observation — this issue has confused quite a few GitHub users recently, and I’d be happy to help clarify it.

🔍 What’s Going On with "Insecure" Labels?

Even if 2FA is enabled, GitHub may still label your account (or others in your organization) as "Insecure" if:

1. You enabled 2FA after being added to the org, and your secure status hasn't refreshed yet.

2. You use third-party SSO or enterprise-managed login, but 2FA isn't enforced via GitHub's own settings.

3. There’s a sync delay in GitHub's backend security audit system — sometimes it takes a few hours or even a logout/login cycle to reflect updated 2FA settings.

4. Your authentication method changed (like from SMS to app-based TOTP), and GitHub hasn’t revalidated it in its org view.

---

✅ Recommended Fixes / Workarounds

• Log out and back in to GitHub, then refresh the People tab.

• Confirm 2FA using:
  👉 https://github.com/settings/security

• If you're an org owner/admin, go to:
  👉 Organization Settings > People > Security
  And double-check that the "Require two-factor authentication" policy is enabled for the entire organization.

• If you use Enterprise Managed Users (SSO), verify that GitHub’s native 2FA reporting is actually applicable. In some cases, GitHub may report “insecure” if it cannot verify 2FA from external IdPs.

---

🧠 TL;DR

Problem	Possible Cause	Action
2FA enabled but still marked "insecure"	GitHub audit lag, recent changes, SSO inconsistency	Log out/in, wait, confirm org-wide enforcement

---

Let me know if you'd like help verifying your org settings or testing it from another account — happy to assist!

💡 If this helps resolve your question, I’d appreciate it if you mark this answer as accepted ✅ — it helps others in the community too!

[geneorama]

I have had 2FA enabled for more than a year. I currently use Github Mobile as my preferred 2FA, but I also have text enabled.

If you're an org owner/admin, go to:
👉 Organization Settings > People > Security
And double-check that the "Require two-factor authentication" policy is enabled for the entire organization.

This is not the correct location of that setting. I think you're talking about Settings > Authentication Security.

That's not enabled, even though I think I have enabled it in the past (or another owner enabled it). Either way, it should not affect the status of individuals being secure or insecure, and furthermore I don't want to enable and lock my account out of the organization (at least not on a Friday).

[geneorama]

Also, can you provide any links to where has this issue been raised? I searched the forum for this issue and did not find it. I don't want to duplicate efforts.

[PawanR-deveops]

I've noticed that in the People view under Organization, most users—including myself—are marked as "insecure," even though we have 2FA enabled. I've double-checked my account and can confirm that 2FA is active. I also tried toggling between SMS and other methods to see if that would refresh the status, but it didn't help.

Could you please clarify why this status appears and whether there's something else we need to do to reflect the correct security posture are not ?

[marcransome]

Disable methods marked as "Less secure" in the two-factor authentication settings to resolve this issue, such as "SMS/Text message":