diff --git a/.github/workflows/validate-asset-images.yml b/.github/workflows/validate-asset-images.yml
index 22dd39e7a868..2b3898025d0d 100644
--- a/.github/workflows/validate-asset-images.yml
+++ b/.github/workflows/validate-asset-images.yml
@@ -1,6 +1,6 @@
 name: Validate asset images
 
-# **What it does**: Run ./src/assets/scripts/validate-asset-images.js on all images in assets/
+# **What it does**: Run ./src/assets/scripts/validate-asset-images.ts on all images in assets/
 # **Why we have it**: To protect from innocent and potentially malicious bad image assets
 # **Who does it impact**: Docs content.
 
diff --git a/assets/images/help/2fa/filter-enterprise-members-by-2fa.png b/assets/images/help/2fa/filter-enterprise-members-by-2fa.png
new file mode 100644
index 000000000000..a64f84749754
Binary files /dev/null and b/assets/images/help/2fa/filter-enterprise-members-by-2fa.png differ
diff --git a/assets/images/help/2fa/filter-org-members-by-2fa.png b/assets/images/help/2fa/filter-org-members-by-2fa.png
index d9c9a66babff..70752c1f5a3b 100644
Binary files a/assets/images/help/2fa/filter-org-members-by-2fa.png and b/assets/images/help/2fa/filter-org-members-by-2fa.png differ
diff --git a/assets/images/help/2fa/legacy-filter-org-collaborators-by-2fa.png b/assets/images/help/2fa/legacy-filter-org-collaborators-by-2fa.png
new file mode 100644
index 000000000000..db309c221a6c
Binary files /dev/null and b/assets/images/help/2fa/legacy-filter-org-collaborators-by-2fa.png differ
diff --git a/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png b/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png
new file mode 100644
index 000000000000..d9c9a66babff
Binary files /dev/null and b/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png differ
diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md
index e7c3d44d8f3c..087350374b2f 100644
--- a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md
+++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md
@@ -38,7 +38,7 @@ You can enforce policies to control the security settings for organizations owne
 
 Before you can require two-factor authentication for all organizations owned by your enterprise, you must enable 2FA for your own account. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
 
-Before you require use of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up 2FA for their accounts. Organization owners can see if members and outside collaborators already use 2FA on each organization's People page. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
+Before you require use of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up 2FA for their accounts. Organization owners can see if members and outside collaborators already use 2FA on each organization's "People" page. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
 
 {% data reusables.two_fa.ghes_ntp %}
 
@@ -58,10 +58,23 @@ Before you require use of two-factor authentication, we recommend notifying orga
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
 1. Under "Two-factor authentication", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
-1. Under "Two-factor authentication", select **Require two-factor authentication for all organizations in your business**, then click **Save**.
+1. Under "Two-factor authentication", select **Require two-factor authentication for the enterprise and all of its organizations**, then click **Save**.
 1. If prompted, read the information about how user access to organization resources will be affected by a 2FA requirement. To confirm the change, click **Confirm**.
-1. Optionally, if any outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable two-factor authentication before they can accept your invitation.
+1. Optionally, if any outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable 2FA before they can accept your invitation.
 
+{% ifversion fpt or ghec %}
+
+### Requiring secure methods of two-factor authentication for organizations in your enterprise
+
+Alongside requiring two-factor authentication, enterprise owners can require that organization members, billing managers, and outside collaborators in all organizations owned by an enterprise use secure methods of 2FA. Secure two-factor methods are passkeys, security keys, authenticator apps, and the GitHub mobile app. Users who do not have a secure method of 2FA configured, or who have any insecure method configured, will be prevented from accessing resources within any organizations owned by an enterprise. {% ifversion ghec %} This policy is not available for enterprises with managed users.{% endif %}
+
+Before you require secure methods of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up secure 2FA for their accounts. Organization owners can see if members and outside collaborators already use secure methods of 2FA on each organization's "People" page. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
+
+{% data reusables.enterprise.secure_two_factor_authentication %}
+{% data reusables.organizations.secure_two_factor_authentication_confirm %}
+1. Optionally, if any outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable 2FA with a secure method before they can accept your invitation.
+
+{% endif %}
 {% endif %}
 
 ## Managing SSH certificate authorities for your enterprise
diff --git a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md
index 2774267cecc9..760bfec3fef2 100644
--- a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md
+++ b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md
@@ -35,7 +35,7 @@ There are three ways to add organizations to your enterprise.
 
 After you add an existing organization to your enterprise, the organization's resources remain accessible to members at the same URLs, and the following changes will apply.
 
-* **Two-factor authentication (2FA):** If required by the enterprise, members without 2FA will be removed.
+* **Two-factor authentication (2FA):** If required by the enterprise, members without 2FA, or with insecure 2FA, will be unable to access organization resources until they configure 2FA that meets the enterprise's 2FA security requirements.
 * **Enterprise licenses:** Members become part of the enterprise, and usage is billed to the enterprise account. You must ensure that the enterprise account has enough licenses to accommodate any new members. See "[AUTOTITLE](/billing/managing-your-github-billing-settings/about-billing-for-your-enterprise)."
 * **Enterprise role management:** Enterprise owners can manage their roles within the organization. See "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."
 * **Enterprise policies:** Any policies applied to the enterprise will apply to the organization. {% data reusables.actions.org-to-enterprise-actions-permissions %}
diff --git a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization.md b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization.md
index e1b62b4619bb..76bd5fdb4bdf 100644
--- a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization.md
+++ b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization.md
@@ -31,10 +31,9 @@ Before you require use of two-factor authentication, we recommend notifying orga
 {% data reusables.two_fa.ghes_ntp %}
 
 > [!WARNING]
-> * When you require two-factor authentication, members who do not use 2FA will not be able to access your enterprise resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your enterprise and organizations.
-> * When your require two-factor authentication, outside collaborators (including bot accounts) who do not use 2FA will be removed from the enterprise and its organization and lose access to repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can [reinstate their access privileges and settings](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
-> * When two-factor authentication is required, outside collaborators who disable 2FA will automatically be removed from the enterprise and its organizations. {% ifversion fpt or ghec %}Members and billing managers{% else %}Members{% endif %} who disable 2FA will not be able to access your enterprise and organization resources until they re-enable it.
-> * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required 2FA for the organization.
+> * When you require two-factor authentication, members and outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can reinstate their access privileges and settings, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
+> * When 2FA is required, organization members or outside collaborators who disable 2FA will automatically be removed from the organization.
+> * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.
 
 ## Requiring two-factor authentication for an organization
 
diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md
index 01cab3d2f292..3abb9595f9d7 100644
--- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md
+++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md
@@ -21,7 +21,7 @@ The membership information report includes the following information.
 > You can only export the datetime of the user's last activity at the organization level. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization#about-export-of-membership-information)."
 
 * Username and display name details
-* Whether the user has two-factor authentication enabled {% ifversion mandatory-2fa-required-overview %}or is required to enable it{% endif %}
+* Whether the user has two-factor authentication enabled and how secure their 2FA configuration is
 * Whether the user is an organization owner or member
 * Organizations with pending invitations
 * Optionally, additional information that depends on the enterprise's configuration:
diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
index 9a71df086f9b..fb4a7b968f5c 100644
--- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
+++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
@@ -230,6 +230,18 @@ You can view a list of members in your enterprise who don't have an email addres
 
 ## Viewing whether members in your enterprise have 2FA enabled
 
+{% ifversion fpt or ghec %}
+
+You can see which people in your enterprise have enabled two-factor authentication.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.people-tab %}
+1. To view the two-factor authentication security levels of enterprise members, on the right, select **Two-factor authentication**, then click **Secure**, **Insecure**, or **Disabled**.
+
+   ![Screenshot of the list of enterprise members. A dropdown menu, labeled "Two-factor authentication", is expanded and outlined in orange.](/assets/images/help/2fa/filter-enterprise-members-by-2fa.png)
+
+{% else %}
+
 You can see which people in your enterprise have enabled two-factor authentication{% ifversion mandatory-2fa-required-overview %} or are required to do so{% endif %}.
 
 {% ifversion mandatory-2fa-required-overview %}
@@ -238,9 +250,11 @@ You can see which people in your enterprise have enabled two-factor authenticati
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
-1. To view enterprise members who have enabled or disabled two-factor authentication, on the right, select **2FA**, then click **Enabled** or **Disabled**. {% ifversion mandatory-2fa-required-overview %}Additionally, you can view which members are required to enable two-factor authentication by clicking **Required**.
+1. To view enterprise members who have enabled or disabled two-factor authentication, on the right, select **2FA**, then click **Enabled** or **Disabled**.
 
-   ![Screenshot of the list of organization members. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/filter-org-members-by-2fa-required.png){% endif %}
+   ![Screenshot of the list of organization members. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png)
+
+{% endif %}
 
 ## Further reading
 
diff --git a/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md b/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md
index c9be3fb8d2b8..19c02dbbd780 100644
--- a/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md
+++ b/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md
@@ -74,6 +74,7 @@ A time-based one-time password (TOTP) application automatically generates an aut
 If you're unable to configure a TOTP app, you can also register your phone number to receive SMS messages.
 
 {% data reusables.two_fa.sms-warning %}
+{% data reusables.two_fa.sms-cap-note %}
 
 {% data reusables.user-settings.access_settings %}
 {% data reusables.user-settings.security %}
diff --git a/content/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account.md b/content/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account.md
index fba144b7a89e..e42b2647e195 100644
--- a/content/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account.md
+++ b/content/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account.md
@@ -18,8 +18,13 @@ shortTitle: Disable 2FA
 {% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
 {% endif %}
 
+{% ifversion fpt or ghec %}
 > [!WARNING]
-> If you're a member{% ifversion fpt or ghec %}, billing manager,{% endif %} or outside collaborator to a public repository of an organization that requires two-factor authentication and you disable 2FA, you'll be automatically removed from the organization, and you'll lose your access to their repositories. To regain access to the organization, re-enable two-factor authentication and contact an organization owner.
+> If you're a member{% ifversion fpt or ghec %} or billing manager{% endif %} to a repository of an organization that requires two-factor authentication and you disable 2FA, you'll lose your access to their repositories. To regain access to the organization, re-enable two-factor authentication.
+{% else %}
+> [!WARNING]
+> If you're a member{% ifversion fpt or ghec %}, billing manager,{% endif %} or outside collaborator to a repository of an organization that requires two-factor authentication and you disable 2FA, you'll be automatically removed from the organization, and you'll lose your access to their repositories. To regain access to the organization, re-enable two-factor authentication and contact an organization owner.
+{% endif %}
 
 We strongly recommend using two-factor authentication (2FA) to secure your account. If you need to disable 2FA, we recommend re-enabling it as soon as possible.
 
@@ -29,11 +34,15 @@ If you are part of the group that {% data variables.product.prodname_dotcom %} i
 You can modify your existing 2FA configuration instead of disabling it entirely. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/changing-your-two-factor-authentication-method)."
 {% endif %}
 
-If your organization requires two-factor authentication and you're a member, owner, or an outside collaborator on a private repository of your organization, you must first leave your organization before you can disable two-factor authentication.
+{% ifversion fpt or ghec %}
+If your organization requires two-factor authentication and you're an outside collaborator on a repository of your organization, you must first leave the organization before you can disable two-factor authentication. To remove yourself from your organization, visit your Organizations settings page and select "Leave", or ask an organization owner or repository administrator to remove you from the organization's repositories. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/viewing-peoples-roles-in-an-organization)" and "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-outside-collaborators/removing-an-outside-collaborator-from-an-organization-repository)."
+{% else %}
+If your organization requires two-factor authentication and you're a member, owner, or an outside collaborator on a repository of your organization, you must first leave your organization before you can disable two-factor authentication.
 
 To remove yourself from your organization:
 * As an organization member or owner, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/removing-yourself-from-an-organization)."
 * As an outside collaborator, ask an organization owner or repository administrator to remove you from the organization's repositories. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/viewing-peoples-roles-in-an-organization)" and "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-outside-collaborators/removing-an-outside-collaborator-from-an-organization-repository)."
+{% endif %}
 
 {% data reusables.user-settings.access_settings %}
 {% data reusables.user-settings.security %}
diff --git a/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization.md
index aaa891f027c4..64243fe145ca 100644
--- a/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization.md
@@ -14,15 +14,23 @@ topics:
   - Teams
 shortTitle: Prepare to require 2FA
 ---
+{% ifversion fpt or ghec %}
+When requiring 2FA in your organization, consider if you also want to enforce usage of only secure methods among your users (secure two-factor methods are passkeys, security keys, authenticator apps, and the GitHub mobile app).
+{% endif %}
+
 We recommend that you notify {% ifversion fpt or ghec %}organization members, outside collaborators, and billing managers{% else %}organization members and outside collaborators{% endif %} at least one week before you require 2FA in your organization.
 
-When you require use of two-factor authentication for your organization, outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories.
-Members and billing managers will retain membership but not be able to access your organization resources until they enable 2FA.
+When you require use of two-factor authentication for your organization, outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories.{% ifversion fpt or ghec %} If you require secure methods of 2FA, outside collaborators who have SMS 2FA configured will be removed. {% endif %} They will also lose access to their forks of the organization's private repositories.
+Members and billing managers will retain membership but not be able to access your organization resources until they meet your 2FA requirement{% ifversion fpt or ghec %} and 2FA security level{% endif %}.
 
 Before requiring 2FA in your organization, we recommend that you:
 
-* Enable 2FA on your personal account. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
-* Ask the people in your organization to set up 2FA for their accounts
+* Enable 2FA on your personal account{% ifversion fpt or ghec %} with a secure method {% endif %}. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
+* Ask the people in your organization to set up 2FA for their accounts{% ifversion fpt or ghec %} with secure methods{% endif %}.
+{% ifversion fpt or ghec %}
+* View the 2FA security levels of users in your organization, to judge the impact of adding a 2FA requirement. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
+{% else %}
 * See whether users in your organization have 2FA enabled. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
+{% endif %}
 * Enable 2FA for unattended or shared access accounts, such as bots and service accounts. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/managing-bots-and-service-accounts-with-two-factor-authentication)."
 * Warn users that once 2FA is enabled, outside collaborators without 2FA are automatically removed from the organization, and members and billing managers will not be able to access your organization resources until they enable 2FA.
diff --git a/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization.md
index aba321fdba5f..1fba0bc509af 100644
--- a/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization.md
@@ -31,15 +31,23 @@ You can also require two-factor authentication for organizations in an enterpris
 > [!NOTE]
 > Some of the users in your organization may have been selected for mandatory two-factor authentication enrollment by {% data variables.product.prodname_dotcom %}, but it has no impact on how you enable the 2FA requirement for your organization. If you enable the 2FA requirement in your organization, all users without 2FA currently enabled will be removed from your organization, including those that are required to enable it by {% data variables.product.prodname_dotcom %}.
 
-{% endif %}
-
 > [!WARNING]
-> * When you require use of two-factor authentication for your organization, {% ifversion fpt or ghec %}members and billing managers{% else %}members{% endif %} who do not use 2FA will not be able to access your organization's resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your organization.
+> * When you require use of two-factor authentication for your organization, members and billing managers who do not use 2FA will not be able to access your organization's resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your organization.
 > * When you require use of two-factor authentication for your organization, outside collaborators who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable 2FA for their personal account within three months of their removal from your organization. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization)."
 > * You will also need to enable two-factor authentication for unattended or shared access accounts that are outside collaborators, such as bots and service accounts. If you do not configure 2FA for these unattended outside collaborator accounts after you've enabled required 2FA, the accounts will be removed from the organization and lose access to their repositories. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/managing-bots-and-service-accounts-with-two-factor-authentication)."
 > * If an outside collaborator disables two-factor authentication for their personal account after you've enabled required 2FA, they will automatically be removed from the organization.
 > * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required 2FA for the organization.
 
+{% else %}
+
+> [!WARNING]
+> * When you require use of two-factor authentication for your organization, members and outside collaborators who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable two-factor authentication for their personal account within three months of their removal from your organization. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization)."
+> * You will also need to enable 2FA for unattended or shared access accounts, such as bots and service accounts. If you do not configure 2FA for these unattended accounts after you've enabled required two-factor authentication, the accounts will be removed from the organization and lose access to their repositories. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/managing-bots-and-service-accounts-with-two-factor-authentication)."
+> * If an organization owner, member, or outside collaborator disables 2FA for their personal account after you've enabled required two-factor authentication, they will automatically be removed from the organization.
+> * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.
+
+{% endif %}
+
 {% data reusables.two_fa.auth_methods_2fa %}
 
 ## Prerequisites
@@ -59,6 +67,20 @@ Before you require use of two-factor authentication, we recommend notifying {% i
 1. If any outside collaborators are removed from the organization, we recommend sending them an invitation that can reinstate their former privileges and access to your organization. They must enable two-factor authentication before they can accept your invitation.
 {% endif %}
 
+{% ifversion fpt or ghec %}
+
+### Requiring secure methods of two-factor authentication in your organization
+
+Alongside requiring two-factor authentication, you can require that organization members, billing managers, and outside collaborators use secure methods of 2FA. Secure two-factor methods are passkeys, security keys, authenticator apps, and the GitHub mobile app. Users who do not have a secure method of 2FA configured, or who have any insecure method configured, will be prevented from accessing organization resources.
+
+Before you require secure methods of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up secure 2FA for their accounts. You can see if members and outside collaborators already use secure methods of 2FA on each organization's People page. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
+
+{% data reusables.organizations.secure_two_factor_authentication %}
+{% data reusables.organizations.secure_two_factor_authentication_confirm %}
+1. Optionally, if any outside collaborators are removed from your organization, we recommend sending them an invitation to reinstate their former privileges and access. Each person must enable 2FA with a secure method before they can accept your invitation.
+
+{% endif %}
+
 ## Viewing people who were removed from your organization
 
 To view people who were automatically removed from your organization for non-compliance when you required two-factor authentication, you can search your organization's audit log for people removed from your organization. The audit log event will show if a person was removed for 2FA non-compliance. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log)."
diff --git a/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled.md b/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled.md
index 15943ae70e9e..621ef0d66688 100644
--- a/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled.md
+++ b/content/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled.md
@@ -16,25 +16,31 @@ shortTitle: View 2FA usage
 ---
 
 > [!NOTE]
-> You can require that all members{% ifversion fpt or ghec %}, including, owners, billing managers and{% else %} and{% endif %} outside collaborators in your organization have two-factor authentication enabled. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)."
+> You can require that all members{% ifversion fpt or ghec %}, including, owners, billing managers and{% else %} and{% endif %} outside collaborators in your organization have two-factor authentication enabled{% ifversion fpt or ghec %}, as well as enforcing that they have secure methods configured {% endif %}. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)."
 
 {% data reusables.profile.access_org %}
 {% data reusables.user-settings.access_org %}
 {% data reusables.organizations.people %}
-1. To view organization members, including organization owners, who have enabled or disabled two-factor authentication, on the right, select **2FA**, then click **Enabled** or **Disabled**. {% ifversion mandatory-2fa-required-overview %}Additionally, you can view which members are required to enable two-factor authentication by clicking **Required**.<br><br>
 
-   {% data reusables.two_fa.mandatory-2fa-contributors-2023 %}{% endif %}{% ifversion mandatory-2fa-required-overview %}
+{% ifversion fpt or ghec %}
 
-   ![Screenshot of the list of organization members. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/filter-org-members-by-2fa-required.png){% else %}
+1. To view the two-factor authentication security levels of organization members, including organization owners, on the right, select **Two-factor authentication**, then click **Secure**, **Insecure**, or **Disabled**.
 
-   ![Screenshot of the list of organization members. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/filter-org-members-by-2fa.png){% endif %}
+   ![Screenshot of the list of organization members. A dropdown menu, labeled "Two-factor authentication", is expanded and outlined in orange.](/assets/images/help/2fa/filter-org-members-by-2fa.png)
 
 1. To view outside collaborators in your organization, in the "Organization permissions" sidebar, click **Outside collaborators**.
-1. To view which outside collaborators have enabled or disabled two-factor authentication, above the list of outside collaborators, select the **2FA** dropdown menu, then click **Enabled** or **Disabled**. {% ifversion mandatory-2fa-required-overview %}Additionally, you can view which members are required to enable two-factor authentication by clicking **Required**.{% endif %}{% ifversion mandatory-2fa-required-overview %}
+1. To view which outside collaborators have secure, insecure, or disabled two-factor authentication, above the list of outside collaborators, select the **Two-factor authentication** dropdown menu, then click **Secure**, **Insecure**, or **Disabled**.
 
-   ![Screenshot of the list of outside collaborators. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/filter-org-collaborator-by-2fa-required.png){% else %}
+{% else %}
 
-   ![Screenshot of the list of outside collaborators. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/filter-outside-collaborators-by-2fa.png){% endif %}
+1. To view organization members, including organization owners, who have enabled or disabled two-factor authentication, on the right, select **2FA**, then click **Enabled** or **Disabled**.
+
+![Screenshot of the list of organization members. A dropdown menu, labeled "2FA", is expanded and outlined in orange.](/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png)
+
+1. To view outside collaborators in your organization, in the "Organization permissions" sidebar, click **Outside collaborators**.
+1. To view which outside collaborators have enabled or disabled two-factor authentication, above the list of outside collaborators, select the **2FA** dropdown menu, then click **Enabled** or **Disabled**.
+
+{% endif %}
 
 ## Further reading
 
diff --git a/data/reusables/actions/azure-vnet-configure-azure-resources-script.md b/data/reusables/actions/azure-vnet-configure-azure-resources-script.md
index 2fb6fbd6737e..78f71e05d245 100644
--- a/data/reusables/actions/azure-vnet-configure-azure-resources-script.md
+++ b/data/reusables/actions/azure-vnet-configure-azure-resources-script.md
@@ -35,6 +35,7 @@ export SUBNET_NAME=YOUR_SUBNET_NAME
 export NSG_NAME=YOUR_NSG_NAME
 export NETWORK_SETTINGS_RESOURCE_NAME=YOUR_NETWORK_SETTINGS_RESOURCE_NAME
 export DATABASE_ID=YOUR_DATABASE_ID
+export API_VERSION=2024-04-02
 
 # These are the default values. You can adjust your address and subnet prefixes.
 export ADDRESS_PREFIX=10.0.0.0/16
@@ -70,7 +71,7 @@ echo Delegate subnet to GitHub.Network/networkSettings and apply NSG rules
 
 echo
 echo Create network settings resource $NETWORK_SETTINGS_RESOURCE_NAME
-. az resource create --resource-group $RESOURCE_GROUP_NAME  --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type GitHub.Network/networkSettings --properties "{ \"location\": \"$AZURE_LOCATION\", \"properties\" : {  \"subnetId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/$VNET_NAME/subnets/$SUBNET_NAME\", \"businessId\": \"$DATABASE_ID\" }}" --is-full-object --output table --query "{GitHubId:tags.GitHubId, name:name}" --api-version 2024-04-02
+. az resource create --resource-group $RESOURCE_GROUP_NAME  --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type GitHub.Network/networkSettings --properties "{ \"location\": \"$AZURE_LOCATION\", \"properties\" : {  \"subnetId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/$VNET_NAME/subnets/$SUBNET_NAME\", \"businessId\": \"$DATABASE_ID\" }}" --is-full-object --output table --query "{GitHubId:tags.GitHubId, name:name}" --api-version $API_VERSION
 
 echo
 echo To clean up and delete resources run the following command:
diff --git a/data/reusables/actions/azure-vnet-deleting-a-subnet.md b/data/reusables/actions/azure-vnet-deleting-a-subnet.md
index 936b6e49fb82..f6e4abef9802 100644
--- a/data/reusables/actions/azure-vnet-deleting-a-subnet.md
+++ b/data/reusables/actions/azure-vnet-deleting-a-subnet.md
@@ -19,7 +19,7 @@ To delete the network settings resource, the network configuration that uses it
 
    ```bash copy
    az account set --subscription $SUBSCRIPTION_ID
-   az resource delete -g $RESOURCE_GROUP_NAME --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type 'GitHub.Network/networkSettings' --api-version '2023-11-01-preview'
+   az resource delete -g $RESOURCE_GROUP_NAME --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type 'GitHub.Network/networkSettings' --api-version $API_VERSION
    ```
 
 1. Delete the subnet in Azure. For more information, see [Delete a subnet](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#delete-a-subnet) on Microsoft Learn.
diff --git a/data/reusables/enterprise/secure_two_factor_authentication.md b/data/reusables/enterprise/secure_two_factor_authentication.md
new file mode 100644
index 000000000000..f114899c851c
--- /dev/null
+++ b/data/reusables/enterprise/secure_two_factor_authentication.md
@@ -0,0 +1 @@
+1. Under "Two-factor authentication", select **Require two-factor authentication for the enterprise and all of its organizations** and **Only allow secure two-factor methods**, then click **Save**.
diff --git a/data/reusables/organizations/removed_outside_collaborators.md b/data/reusables/organizations/removed_outside_collaborators.md
index 69ca258911bd..8296583fbd79 100644
--- a/data/reusables/organizations/removed_outside_collaborators.md
+++ b/data/reusables/organizations/removed_outside_collaborators.md
@@ -1,2 +1,2 @@
 1. If prompted, read the information about members and outside collaborators who will be removed from the organization.
-1. In the text field, type your organization's name to confirm the change, then click **Remove members & require two-factor authentication**.
+1. To confirm the change, click **Confirm**.
diff --git a/data/reusables/organizations/secure_two_factor_authentication.md b/data/reusables/organizations/secure_two_factor_authentication.md
new file mode 100644
index 000000000000..dd52bbb11c5f
--- /dev/null
+++ b/data/reusables/organizations/secure_two_factor_authentication.md
@@ -0,0 +1 @@
+1. Under "Two-factor authentication", select **Require two-factor authentication for everyone in your organization** and **Only allow secure two-factor methods**, then click **Save**.
diff --git a/data/reusables/organizations/secure_two_factor_authentication_confirm.md b/data/reusables/organizations/secure_two_factor_authentication_confirm.md
new file mode 100644
index 000000000000..7f792e8e53d2
--- /dev/null
+++ b/data/reusables/organizations/secure_two_factor_authentication_confirm.md
@@ -0,0 +1 @@
+1. If prompted, read the information about how user access to organization resources will be affected by requiring secure 2FA methods. To confirm the change, click **Confirm**.
diff --git a/data/reusables/two_fa/sms-cap-note.md b/data/reusables/two_fa/sms-cap-note.md
new file mode 100644
index 000000000000..8e9a14b61b20
--- /dev/null
+++ b/data/reusables/two_fa/sms-cap-note.md
@@ -0,0 +1,2 @@
+> [!NOTE]
+> Organizations and enterprises have the ability to prevent content access to members who have SMS 2FA configured. If you are a member of any organization or enterprise that has made this decision, you should enable TOTP application-configured 2FA instead. Outside collaborators may not enable SMS 2FA if their organization or enterprise has disallowed it. To continue working on content within an organization, enable 2FA with a TOTP application and disable SMS 2FA.
diff --git a/package.json b/package.json
index 1a97aa8b85f3..30a3d586d457 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,7 @@
     "index-general-search": "tsx src/search/scripts/index/index-cli general-search",
     "index-test-fixtures": "./src/search/scripts/index-test-fixtures.sh",
     "lint": "eslint '**/*.{js,mjs,ts,tsx}'",
-    "lint-content": "node src/content-linter/scripts/lint-content.js",
+    "lint-content": "tsx src/content-linter/scripts/lint-content.js",
     "lint-translation": "vitest src/content-linter/tests/lint-files.js",
     "liquid-markdown-tables": "tsx src/tools/scripts/liquid-markdown-tables/index.ts",
     "generate-code-scanning-query-list": "tsx src/code-scanning/scripts/generate-code-scanning-query-list.ts",
diff --git a/src/assets/lib/image-density.txt b/src/assets/lib/image-density.txt
index 9dd0edac295b..aff98f46a523 100644
--- a/src/assets/lib/image-density.txt
+++ b/src/assets/lib/image-density.txt
@@ -95,10 +95,10 @@
 /assets/images/help/2fa/add-sms-number-option.png 1x
 /assets/images/help/2fa/disable-two-factor-authentication.png 2x
 /assets/images/help/2fa/edit-2fa-method-dropdown.png 1x
-/assets/images/help/2fa/filter-org-collaborator-by-2fa-required.png 1x
-/assets/images/help/2fa/filter-org-members-by-2fa-required.png 1x
-/assets/images/help/2fa/filter-org-members-by-2fa.png 2x
-/assets/images/help/2fa/filter-outside-collaborators-by-2fa.png 2x
+/assets/images/help/2fa/filter-enterprise-members-by-2fa.png 1x
+/assets/images/help/2fa/filter-org-members-by-2fa.png 1x
+/assets/images/help/2fa/legacy-filter-org-members-by-2fa.png 1x
+/assets/images/help/2fa/legacy-filter-org-collaborators-by-2fa.png 2x
 /assets/images/help/2fa/ghes-3.8-and-higher-2fa-wizard-app-click-code.png 1x
 /assets/images/help/2fa/unlink-this-email.png 2x
 /assets/images/help/2fa/view-recovery-codes-button.png 2x
diff --git a/src/assets/scripts/deleted-assets-pr-comment-1.ts b/src/assets/scripts/deleted-assets-pr-comment-1.ts
index 206143821033..23c41dddacf0 100755
--- a/src/assets/scripts/deleted-assets-pr-comment-1.ts
+++ b/src/assets/scripts/deleted-assets-pr-comment-1.ts
@@ -3,7 +3,7 @@
 // [start-readme]
 //
 // For testing the GitHub Action that executes
-// src/assets/scripts/deleted-assets-pr-comment.js but doing it
+// src/assets/scripts/deleted-assets-pr-comment.ts but doing it
 // locally.
 // This is more convenient and faster than relying on seeing that the
 // Action produces in a PR.
@@ -13,7 +13,7 @@
 // Example use:
 //
 //    export GITHUB_TOKEN=github_pat_11AAAG.....
-//    ./src/assets/scripts/deleted-assets-pr-comment.js github docs-internal main 4a0b0f2
+//    ./src/assets/scripts/deleted-assets-pr-comment.ts github docs-internal main 4a0b0f2
 //
 // [end-readme]