1. Install the OTP Guard application for Github

Use this link to install the OTP Guard application for Github. The screen should look similar to the following, but your account name and organization details may differ:

2. Grant OTP Guard access to organization repositories

Access can be granted to only selected repositories, or all of them. This can be changed anytime.

The permissions that OTP Guard requires are extremely limited: it can only read repository metadata (Github makes this permission mandatory), organizational members (so OTP Guard knows who can actually access the app), and pull requests.

Note that OTP Guard can only read PR metadata (authors, PR descriptions, commit messages, etc) but not the actual code itself, nor can OTP Guard see the contents of PR reviews.

OTP Guard also needs read-write access to checks - the thing that gives a green and red checkmarks for PR status checks.

3. Make a pull request in a repository protected by OTP Guard

A Github check will be created for the PR. For the best security coverage, set up branch protection rules on Github so that the PR can't be merged until after someone review and approves it.

4. Authorize the pull request with OTP Guard

Click on the "Details" of the status check to drill down, and "Resolve" to authorize the PR on the OTP Guard website.

5. Register your first authenticator

When authorizing a pull request for the first time, OTP Guard will prompt you to set up an authenticator. For more information on the types of authenticators OTP Guard support, please see Authenticator Types page.

You will have a separate set of authenticators for every Github organization that you are a member of, so that authenticators can be managed independently by organization administrators.

6. Finish authorizing the pull request

Once an authenticator has been registered, the PR authorization process is straightforward. For a platform authenticator or security key, simply click 'Authorize' and follow the prompts. For a TOTP, enter the six-digit code and submit.