Skip to content

Update github-account-recovery-policy.md #38537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Update github-account-recovery-policy.md #38537

wants to merge 5 commits into from

Conversation

EarlyEdition
Copy link

@EarlyEdition EarlyEdition commented May 26, 2025
edited
Loading

Updating policy to the github account recovery. This PR was created in site-policy repo. (github/site-policy#1049)

  1. Open a pull request directly in the GitHub Docs repo.

Why:

Closes: #37993
github/site-policy#1048

What's being changed (if available, include any code snippets, screenshots, or gifs):

This policy makes it clear that GitHub Support will not unlock accounts if the user has forgotten the account password, even if the user has access to two-factor authentication (2FA) and github recovery codes.

Check off the following:

  • A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
  • The changes in this PR meet the docs fundamentals that are required for all content.
  • All CI checks are passing and the changes look good in the review environment.

@EarlyEdition EarlyEdition requested a review from a team as a code owner May 26, 2025 15:58
@welcome Welcome
Copy link

welcome bot commented May 26, 2025

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 26, 2025
edited
Loading

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
site-policy/other-site-policies/github-account-recovery-policy.md fpt
 fpt

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label May 26, 2025
@Sharra-writes Sharra-writes added site policy Content related to site policy and removed triage Do not begin working on this issue until triaged by the team labels May 26, 2025
@Sharra-writes
Copy link
Contributor

Hi! Thanks for opening a PR. I've never dealt with one of these before, and it looks like it's part of the process for working things out in site-policy. If you need me to play a role in that process, let me know! My job is mostly talking to people and asking questions, so I'm happy to do it for this, too. 💛

@EarlyEdition
Copy link
Author

EarlyEdition commented May 29, 2025
edited
Loading

If you need me to play a role in that process, let me know! My job is mostly talking to people and asking questions, so I'm happy to do it for this, too. 💛

@Sharra-writes I appreciate your work and thank you for your effort.
May I ask you to talk to @margaret-tucker, the site-policy admin, to review my PR?

@Sharra-writes
Copy link
Contributor

@EarlyEdition Sorry, this is a new process that I hadn't seen the steps for yet. I thought this process was for the site-policy repo, but it's actually more for ours. Let me dig in and figure out how to get this moved along!

Small thing: please don't ping people directly in here. One of my jobs is managing information flow so that things go where they need to and no one gets overwhelmed, which doesn't work if people are getting pinged. (You can always use the tick marks around a name to reference someone without actually pinging them.)

Anyway, I'll get going on this! Thanks for getting back to me.

@Sharra-writes Sharra-writes added the content This issue or pull request belongs to the Docs Content team label May 29, 2025
@EarlyEdition
Copy link
Author

@Sharra-writes I thank you for reviewing my PR. I'm not sure about changing the wording for clarity. I think having GitHub recovery codes is enough to recover the account. Otherwise what is the purpose of the account recovery form in GitHub support?

Image

@EarlyEdition EarlyEdition mentioned this pull request May 30, 2025
Closed
@Sharra-writes
Copy link
Contributor

@EarlyEdition You might be right. I spent probably 10 minutes trying to figure that out. This comment from the original post is where I'm pulling the changes from:

I'm afraid that the 2FA credentials you may have are only valid as the second factor of authentication. For security reasons, they cannot (in any way) interact with the first factor of authentication; which would be the account password or, if lost, the account's primary email address for a password reset.

I think they're saying that the account recovery codes are only valid as a second form of authentication? It sounds like you must have either the password or access to the account's primary email, regardless of account recovery codes. How does that interact with the form? I don't know. I can definitely see how the form might be frustrating, because it seems to offer hope that there are other ways to recover an account, even though the documentation says that support won't do things like verify IDs, to prevent social engineering.

Let me know how you read that comment.

@EarlyEdition
Copy link
Author

EarlyEdition commented May 30, 2025
edited
Loading

@Sharra-writes Thank you for your enlightening discussion and information. As far as I remember, GitHub account recovery form did not exist until last year. There is a contradiction between what support says and the account recovery policy. I am not saying that filling out the GitHub account recovery form alone proves the ownership of the account. However, access to 2FA and account recovery codes along with filling out the recovery form can prove the account ownership. I've created a ticket about two weeks ago to recover my old account, but I still haven't received any response from GitHub support.

image

@Sharra-writes
Copy link
Contributor

@EarlyEdition This may be something where we need to rope in Support or someone from site-policy just to tell us what we should be asking for. Let me talk to the person who authored the new process for doing all this, because I'm also finding apparent inconsistencies in the internal documentation. I can't offer a timeline on that since he's out of office for a while, but if you hear back from Support, I would be very interested to know what they tell you.

@EarlyEdition EarlyEdition marked this pull request as draft June 1, 2025 14:39
@EarlyEdition EarlyEdition marked this pull request as ready for review June 2, 2025 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sharra-writes Sharra-writes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
content This issue or pull request belongs to the Docs Content team site policy Content related to site policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GitHub Account Recovery Policy
2 participants
@EarlyEdition @Sharra-writes