Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to the npm registry to make two-factor authentication (2FA) adoption easier for developers. Today, we are launching a public beta for a significantly improved 2FA experience to all npm accounts, including:
- Support for registering multiple second factors, such as security keys, biometric devices, and authentication applications
- A new 2FA configuration menu to manage keys and recovery codes
- Full CLI support for login and publish capabilities with physical security keys and biometric devices
- Ability to view and regenerate recovery codes
On February 1, we enrolled all maintainers of the top-100 npm packages into mandatory 2FA. On May 31, we will enroll the next cohort in mandatory 2FA—maintainers of the top-500 packages. The final cohort will be high-impact maintainers of packages with more than one million weekly downloads or 500 dependents later this year.
Prior to enrolling all high-impact maintainers in 2FA, we will:
- Streamline the process of logging in and publishing with WebAuthn
- Improve the account recovery process, including more secure forms of identity verification
To learn more about configuring 2FA, see Configuring two-factor authentication.
To learn more about 2FA in general, see About two-factor authentication.
For questions and comments, open a discussion in our feedback repository.