How to disable SMS option in 2FA account access, without disabling Webauthn and 2FA entirely [obsolete]

[mk-fg]

EDIT:
THIS IS OBSOLETE (as of April 2023), and no longer how that UI looks and works on github!
There is no "Reconfigure" button anymore, likely because it's now possible to do without it.

Select Topic Area

Question

Body

I have and want to have two-factor authentication enabled, but only with strong methods that are useful to me, like Webauthn, and disable terrible insecure methods that can easily be used to bypass these entirely.

But under "Password and Authentication" - "Two-factor authentication", github lists "SMS/Text message" as one allowed 2FA method, which is definitely not the one I want to have, as it is rather trivial and cheap to attach new SIM to any phone with local carriers (or mostly their minimally-paid staff rather).
I can click "Edit" on that SMS authentication method and enter a different phone, but I see no way to disable or remove it.

Is there a way to disable "SMS/Text message" second-factor authentication method?
And if not, why not? Maybe it can be a request for improvement in Github's currently-broken 2FA instead.

Here is how configuration screen looks for me (after clicking on "..." next to SMS 2FA method):

2FA is required by an org, but that doesn't mention SMS anywhere specifically, and 2FA shouldn't be assumed to be SMS.

Having SMS method force-enabled makes 2FA rather pointless for me - anyone, with at least some minor local knowledge and ~$50, can just ignore whatever I setup there, SMS-bypassing it all, and then do whatever they want on my github and wherever I have commit access to.

This is not about "Fallback SMS number" recovery, which I never setup and indeed can be disabled, but rather disabling (and ideally never even allowing) SMS as a 2FA method to log into my github account.

Thanks in advance for any assistance.

[mk-fg]

Was told a solution after asking this question elsewhere - apparently "Reconfigure" button in the top-right can replace mandatory SMS auth option with TOTP, which is still not what I'd use, but easier to forget and ignore, unlike leaving SMS one open.
It does not currently clear Webauthn, and can be used even if account is required to have 2FA by an org. Worked for me.

[hansbogert]

I'm probably blind, but where is that button?

[mk-fg]

Top-right of the "Two-factor authentication" box, to the right of its header, left of the green "Enabled" button there.
You can see it in the attached image above, at least where it was for me at the time of asking the question.

[mk-fg]

Just checked my settings and yeah, it's gone - looks like they did change how things work there.

[DNin01]

They also said they were working on making it possible to use security keys as the primary second factor.

In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

[kalbfled]

I have the same question/issue, and I also don't see a "Reconfigure" button.

[mk-fg]

Just checked - there isn't one for me either, guess it should be done in some different way.
Did edit the question/title to mark it as obsolete, as it's likely a global change on the site.

[kalbfled]

I added an authenticator app in addition to my security keys. Once I did that, I had the option to disable SMS.

[DNin01]

That makes sense - security keys cannot be used as a "primary" authentication method yet, though GitHub said they are working on that feature.

[beeb]

I added security keys as 2FA and selected them as preferred method, but I still can't remove the SMS method. Only an "edit" button that allows to change the number, no way to disable it.

EDIT: after adding the Authenticator app again, I was able to disable the SMS option. But then I can't disable the Authenticator app option. Why can security keys not be the only selected option?

[pedrosimao]

Maybe they are afraid of people loosing their security keys? But anyway, that's why recovery codes exists right?

[VannTen]

I'm facing the same problem.
Passkeys are nice and all, but if I can't disable SMS 2FA, it's kinda pointless.

[pedrosimao]

Same here! Did you find a way?

[scheepers]

I swear if I have to solve that puzzle one more fkn time I'll go sterile.

I've added SSH keys, passkeys, my blood type and sacrificed the artworks of several small children.

Where is the SMS 2fa removal or 2fa reconfigure process, button or altar of mammon so I can access an organisation I belong to?

[PavlekJ]

it wasnt showing for me either when it was my only 2fa method, I thought I was going insane.
Try configuring another 2fa method (ex. authenticator app), then you should see the three dots button in the SMS/Text message cell.

[lunvang]

Just found the solution!!
You have to add the "Authenticator app" two-factor method, and only then you'll be able to remove SMS.
I wish the UI would communicate that better, it was a pain to figure out.