2FA rejected on git push

I use the “git” command line interface from Windows 10 (git add, git commit, git push, etc.). Earlier this summer I enabled 2FA and was able to push commits to GitHub via the CLI using my user name and my PAT (copy-pasted) instead of my old password. The last time I pushed was just 18 days ago (September 9). I just tried to push some new changes, and it’s telling me

git push
Username for ‘http s://github.com’: ***
Password for ‘http s://@github.com’: <paste PAT here, isn’t visible>
remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead.
remote: Please see http s://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information.
fatal: Authentication failed for 'http s://github.com/

(I don’t know how much will be exposed here, so I went ahead and ***'d out names). How do I get this working again? Has something changed in the last couple of weeks?

Could it be that your token has expired? AFAIK the “Support for password authentication was removed” message appears on any login failure over HTTPS.

The token was maybe 90 days or so old… is that how long it lives? The error message should suggest that as a possibility, and remind the user where to refresh it!

It’s one of the options you’re offered when generating the token, the default seems to be 30 days. I don’t know which option you chose when you generated the token. :slightly_smiling_face:

You can create a token that doesn’t expired (you can still revoke it). Of course a non-expiring token is more convenient, but also someone who can steal it can do damage for longer if you don’t notice and revoke the token. You’ll have to find the balance between convenience and security that fits your needs.

I think I generated the token in June, but I don’t remember if I selected a lifetime. Is there some place that will tell me that the PAT is indeed expired? Do I just repeat the process that created one in the first place, to create another, or do I have to do something to revoke the old one first (especially if it has not quite yet expired)? If I know how long the PAT is good for, I could make a note to change it on a specific date.

You can see your active tokens in your settings (Settings > Developer settings > Personal access tokens), including their expiry date(s), if any. I’m not sure if expired tokens are shown as expired for a while or just disappear immediately, but you should get a mail notification a few days before one expires.

It just keeps getting stranger and stranger. The PAT is listed as NOT expired. I then looked over the string (PAT) I was trying, and counted the characters, and it was one longer than my notes said it should be! I don’t know how it picked up an extra character, but that would certainly be the wrong token value. It’s unfortunate that the “password” input line doesn’t echo the token value, or I would have seen this a lot earlier.

Anyway, thank you for taking the time to work with me on this; hopefully the problem is fully resolved. The information given here might be of use to others – I will try to close it, but hopefully it will stick around for reference.

1 Like