Late last year, in response to an unprecedented series of account takeovers resulting from compromising developer accounts without 2FA enabled, we committed various improvements to the npm registry to make it easier for developers to accept 2-factor authentication. Today we launch a public beta for a significantly improved 2FA experience for all npm accounts, including:
- Support for recording multiple secondary factors, such as security keys, biometric devices, and authentication applications
- New 2FA configuration menu for managing keys and recovery codes
- Full CLI support for login and publish capabilities with physical security keys and biometric devices
- Ability to view and regenerate recovery codes
On February 1, we recorded all supporting the top 100 npm packages in the mandatory 2FA. On May 31, we will enroll the next cohort in the mandatory 2FA supporters of the top 500 packages. The last group will be high-impact support packages with more than a million downloads per week or 500 addicts later this year.
Before enrolling all the high-impact supporters in 2FA, we will:
- Streamline the process of logging in and publishing with WebAuthn
- Improve your account recovery process, including more secure authentication forms
To learn more about configuring 2FA, see Configuring two-factor authentication.
To learn more about 2FA in general, see About two-factor authentication.
For questions and comments open a discussion in our feedback store.