I got out of prison and couldn’t log into my GitHub.
The password while I was gone. The phone number tied to the account got transferred to another carrier. The device with my two-factor authentication codes—gone. Eighteen months away, and I came back to find myself locked out of my own account.
GitHub, for those unfamiliar, is where programmers store and share code. It’s the largest platform of its kind. Your GitHub account is your professional identity if you work in software. It’s your portfolio, your history, your proof of work. Mine had twelve years of contributions on it. Every project I’d built, every line I’d written, every collaboration I’d been part of.
The obvious response is “just make a new one.” It’s not that simple. That account has two nearly-finished books in private repositories—projects I’d been working on for years. Intellectual property I was developing. Contractual work I’m still legally responsible for delivering. Libraries that other developers depend on, and those have gone stale in my absence because I can’t push updates. The username itself—joshmn—is mine in a way that matters to me, even if it shouldn’t, but that’s beside the point. It’s how people in my industry know me. Starting over with joshmn2 or realJoshBrody isn’t really starting over. It’s admitting that the confirm-your-identity process is correct and practical and reasonable.
When I got out of federal prison, these affected most of my digital life—this domain (the only one that really matters to me), social media accounts (those are throwawayable), and some other less notable things. I was able to recover those after a lengthy and sometimes painful process. But others have proven difficult, if not unreasonable—to a degree.
Update: On January 13, 2026 I was restored access to my GitHub. My feelings about 2FA persist.
Every method failed
GitHub offers recovery methods. They’re reasonable. They all failed.
API key verification? I had an old personal access token associated with my account. I provided it. GitHub said it was expired and therefore didn’t count. The logic is sound—an expired key could have been compromised, leaked, harvested from some old breach. They can’t trust it. But I had it. I knew it. It was mine.
SMS verification? The phone number tied to my account is gone. Transferred to another provider after it went stale. I can’t receive a text at a number that’s no longer mine.
Two-factor authentication codes? The device that had my authenticator app was gone. The backup codes were printed on paper that I have to assume was thrown out or destroyed. Maybe they’re sitting in a landfill somewhere unshredded. Maybe they were burned. Either way, I don’t have them.
Each method makes sense in isolation. Each method assumes you still have access to something you set up years ago—a phone number, a device, a piece of paper. The system is designed for people who lose one factor at a time, not all of them at once. I lost everything simultaneously. Not because I was careless, but because I went to prison and someone I trusted decided to take what was mine.
This could be you
I know what you’re thinking. This is a prison story. This doesn’t apply to me. But you don’t have to go to prison to end up here.
Your fault-ish: Your phone gets stolen on vacation. You’re in Barcelona, you set your bag down for thirty seconds, and it’s gone. Your whole digital life was in that bag. Your authenticator app, your SIM card, your backup codes saved in a notes app you thought was clever.
Less your fault: house fire. Everything you own is ash. Including the drawer where you kept that piece of paper with your recovery codes, the one you printed out three years ago and never thought about again.
Maybe your fault: nasty divorce. Your ex won’t hand over the iPad—the one that has your authenticator app on it, the one you set up back when you shared everything and didn’t think about what would happen when you didn’t.
Your brain’s fault: you switch phones. You’re excited about the new one. You restore from backup, everything seems fine, and then you wipe the old phone before you realize your authenticator app doesn’t transfer automatically. The codes are gone. You didn’t even know they were stored locally.
Not your fault, kind of: you get laid off. You return the work laptop and the work phone—the one that had your personal authenticator on it, because who keeps work and personal separate anymore? IT wipes the device before you remember what was on it.
Sad, hopefully not your fault: your parent dies, and they were your emergency contact, your backup plan, the person who had the envelope with your codes in their safe. Now their estate is in probate and you can’t access anything.
My point is that almost nobody writes down backup codes. Everyone assumes they’ll have access to their phone forever. Everyone assumes their circumstances won’t change dramatically. Until they do.
You are not your phone.
I asked the internet
I posted on Hacker News asking for help. Hacker News is a forum popular with programmers and startup founders—the kind of people who think carefully about security, who have opinions about encryption, and the type of folk who ultimately placed their opinions on how we identify ourselves by building these systems originally after brainstorming them over coffee. They’re mostly a skeptical-by-default crowd. If you want to know whether your take is defensible, post it there and wait for someone to tell you why you’re wrong. While it may sound like reddit in its existence and description, it could not be more unlike reddit in it’s community.
The post got over a hundred comments (this is a lot on Hacker News). People debated both sides.
The top response cut right to it: “The situation you are in is very unfortunate and I am sympathetic but in GitHub’s defence, this is exactly what I hope would happen when I enable 2FA. I would be very perturbed to find out that GitHub would grant access to my account given identity documents.”
I sat with that for a while. Then I replied: “That’s the same stance I have and why I’m torn.”
I meant it. I still do.
Everyone had ideas
The comment section was full of suggestions. Smart people trying to solve an unsolvable problem.
Put your ID on file ahead of time—driver’s license, passport, something official. That way, if you ever lose access, you can verify with government documents. Sounds reasonable. But think about what that actually means. You’ve now turned two-factor authentication into single-factor authentication. The ID becomes the master key that bypasses everything else. Anyone who can forge or steal your ID—or coerce you into handing it over—now has a backdoor into your account. That’s not more secure. That’s less secure with extra steps.
Offer in-person verification for a fee. Fly to GitHub’s headquarters in San Francisco, show up with your passport, sit across from a human being, pay whatever it costs. Sounds reasonable. Doesn’t scale. GitHub has over 100 million users. They’re owned by Microsoft now and even they can’t run an identity verification desk for everyone who loses their second factor. The math doesn’t work. And who’s qualified to verify identity anyway? What training would that person have? What liability would they take on?
Get a court order. Have a judge confirm you are who you say you are, legally and officially, with the full weight of the judicial system behind it. Sounds reasonable. Also: it’s a GitHub account, and that doesn’t mean it’s still my GitHub account. A place where I store code. The fact that “get a federal judge involved” is even on the table tells you something about how deeply broken this situation is. How did we get here? How did we build a system where recovering your own property requires the intervention of the courts?
And yet—here I am. That’s exactly what I’m doing.
Lawyers, for a GitHub account
I have lawyers involved now. Real lawyers, from a real law firm, billing real hours. They contacted GitHub’s legal team. The first suggestion from GitHub was that I could ask my probation officer to request that a judge issue an order confirming my identity. For a GitHub account. The lawyers consulted with criminal defense attorneys in the relevant jurisdiction and determined that approach was unlikely to work—judges don’t typically issue orders like that at a probation officer’s request.
So we pivoted. The solution currently on the table: a notarized affidavit, sworn under penalty of perjury, attesting that I am who I say I am and that the account belongs to me. Multiple government IDs—passport, state ID, the federal release identification card I was issued upon leaving prison. A list of private repository names that only the real account owner would know. An expired API token that was tied to the account. Oh, and a hang-myself clause: me acknowledging that if I’m lying, GitHub can refer the matter to law enforcement and my probation officer.
All of this. For a GitHub account.
This is by design
Here’s the thing: this is correct behavior.
If someone was trying to social engineer their way into your account—if an attacker wanted access to your code, your private repositories, your credentials—you’d want GitHub to make it this hard. You’d want them to require a notarized affidavit. You’d want them to demand information only the real owner could know. You’d want them to ask for multiple forms of government identification and still be skeptical.
You’d want them to ignore the sob story.
Because attackers have sob stories too. They’re good at this. Social engineering is a craft. The email that says “I’m locked out of my account, my grandmother just died and I need access to her repository” might be true. Or it might be the opening move in a supply chain attack that compromises thousands of downstream systems. GitHub can’t tell the difference. They’re not supposed to be able to tell the difference. That’s the whole point.
The system can’t distinguish between “legitimate owner in an unusual situation” and “attacker with a compelling narrative.” If there were an escape hatch for sympathetic cases—some process where, if your story was sad enough, they’d let you in—that escape hatch is exactly what every attacker would exploit. The security model depends on there being no exceptions. My situation is unusual, but it’s not special. The rules apply to me because they have to apply to everyone.
GitHub accounts are infrastructure
This isn’t just about me being locked out of my stuff. GitHub accounts are critical infrastructure for not only my career but also for the infrastructure of humanity—save for uncontacted tribes.
Think about how modern software gets built. Nobody writes everything from scratch anymore. You pull in open-source code that handles common tasks. That code is very likely stored on GitHub, most of it maintained by individual developers, often volunteers, often working alone. When you add this code to your code, you’re trusting that the person who maintains it is who they say they are, and the code is what it says it is.
One compromised maintainer account can push malicious code to a package that gets pulled into thousands of pieces of software downstream. A single bad update can propagate through the entire ecosystem in hours. We’ve seen this happen. In 2021, a popular JavaScript package called ua-parser-js was compromised; malicious code was pushed to millions of downstream users. The same year, the coa and rc packages were hijacked. In 2024, a backdoor was discovered in xz Utils, a compression library used in virtually every Linux distribution—the result of a years-long social engineering campaign to gain a maintainer’s trust.
These attacks are getting more sophisticated. The stakes are enormous. A major supply chain compromise could affect banking systems, hospitals, power grids—anything that runs on software, which is everything.
The paranoia isn’t paranoia. It’s proportional to the risk.
GitHub can’t afford to get this wrong. And “wrong” means giving access to someone who shouldn’t have it. From their perspective, being too strict is a feature, not a bug. The cost of locking out a legitimate user is annoying for that user. The cost of letting in an attacker is potentially catastrophic for everyone who depends on the software that attacker can now compromise.
I’m annoyed. But I understand.
The thing is not you
The deeper problem is philosophical, and it’s one we haven’t fully grappled with as a society.
Two-factor authentication doesn’t prove you are you. It proves you have access to a thing.
The thing is not you. It’s a phone, an app, a hardware key, a piece of paper with codes printed on it, a SIM card, a device. We call it “something you have,” as distinct from “something you know” (your password) and “something you are” (your fingerprint, your face). But “something you have” is precarious in a way we don’t like to admit. You can lose it. It can be stolen. It can break. It can be taken from you by someone you trusted. It can be destroyed in a fire or a flood. It can be confiscated by the state.
When the thing is gone—stolen, broken, wiped, transferred, burned, seized—you become indistinguishable from an attacker. You’re just someone claiming to be the account owner without the credentials to prove it. You can have a passport, a birth certificate, a social security card, a federal release ID, witnesses who will swear you are who you say you are. None of that matters. The system doesn’t verify identity. It verifies possession.
There’s no “I am obviously the real owner” escape hatch. There can’t be. That escape hatch would be a security vulnerability. The whole model depends on the authentication factors being the only path in. A forged passport and a smiling face means you can fly under the guise you are your passport.
We’ve built a world where access to a device is more authoritative than legal identity documents. Where losing a phone is more consequential than losing a passport. Where the thing in your pocket is more “you” than you are.
I’m not sure that’s wrong. I’m not sure it’s right either. But it’s where we are.
Waiting
I’m still waiting to hear back on the affidavit. Maybe it works. Maybe GitHub’s legal team reviews everything, confirms the information matches what’s on their end, and restores my access. Maybe I get my account back, my twelve years of work, my books, my packages, my username.
Or maybe they find some reason to say no. Maybe there’s another hoop, another document, another verification step. Maybe this drags on for months. I don’t know. That’s fine, I’ll get it back eventually. But I’m at the mercy of a process I can’t control, trying to prove I’m me to a system designed to be skeptical of exactly that claim.
But the lesson here isn’t “GitHub’s recovery process is broken.” It’s not. The process is working exactly as designed. The lesson is that we’ve all made a trade-off we didn’t fully think through.
We added two-factor authentication because security matters. Because passwords get leaked, phished, guessed, reused across sites. Because we needed something stronger. And two-factor is stronger. It’s dramatically harder for an attacker to compromise an account protected by 2FA. That’s not nothing. That’s important.
But we didn’t think about the failure mode. We didn’t consider what happens when the second factor disappears. We didn’t ask ourselves: what’s the recovery path when everything goes wrong at once?
The answer, it turns out, is lawyers and affidavits and government IDs and still maybe not getting your account back. The answer is that there’s no good answer.
Write down your backup codes
Write down your backup codes.
I’m serious. Do it today. Do it right now, before you forget, before you convince yourself you’ll get to it later.
Put them somewhere that isn’t your phone. Isn’t your computer. Isn’t in the cloud, where they could be compromised by the same breach that takes your account. Isn’t in the possession of someone who might betray you. Make copies of it, and bury it where you’d bury gold, and put it in a safe deposit box, and somewhere in the woods. A fireproof safe bolted to your floor. A sealed envelope with a lawyer. Best idea is tattooed on your inner thigh, but that’s compromisable too, I guess.
Just somewhere that will survive whatever your personal disaster turns out to be. Because if you lose them, you’re me. And being me is a lot of paperwork.