Three weeks ago, we provided an update on our commitment to npm ecosystem security. We promised to provide more details on the additional steps we’re taking to secure the npm registry, and this post outlines the first phase of that plan.
Today we are introducing enhanced login verification to the npm registry, and we will begin a staged rollout to maintainers beginning December 7 and concluding January 4. Maintainers on the npm registry who have access to publish packages and do not have two-factor authentication (2FA) enabled will receive an email with a one-time password (OTP) when authenticating through either the npmjs.com website or the npm CLI. This emailed OTP will need to be provided in addition to a user’s password before authenticating. This extra layer of authentication helps prevent common account takeover attacks, such as credential stuffing, which utilize a user’s compromised and reused password. It is worth noting that enhanced login verification is intended to be an additional baseline protection for all publishers. It is not a replacement for 2FA, such as time-based one-time passwords (TOTP), WebAuthn, or other methods described by NIST 800-63B. We encourage maintainers to opt-in to 2FA authentication. In doing so, you will not need to perform enhanced login verification.
You can read more about enhanced login verification in our documentation.
The next step in securing the accounts of publishers on the registry is to enforce the use of 2FA for all accounts with publishing rights to high-impact packages. Currently, the npm registry supports a single form of 2FA, TOTP via an authentication application. We are currently working on a variety of enhancements to the registry to make 2FA adoption easier for developers, including:
- WebAuthn support for hardware security keys and biometric scanners found in modern devices
- Support for registering and managing multiple authentication factors
- Better tools for understanding 2FA adoption in npm orgs
- An improved account recovery process
We will begin enforcing 2FA through a phased approach, with our first cohort—maintainers of the top-100 packages by dependents—on February 1, 2022. The second targeted cohort will be maintainers of the top-500 by dependents in early 2022 once more 2FA options are supported with WebAuthn. This process allows us to ship these new security features and processes as quickly as we can, while still maintaining the high-quality publishing experience maintainers expect from the npm registry.
- December 7, 2021: begin roll out of enhanced login verification to all accounts that have ever had publish access to packages on the npm registry.
- January 4, 2022: complete enhanced login verification rollout to all npm publishers.
- February 1, 2022: all publishers of the top-100 packages by dependents enrolled in enforced 2FA.
- Early 2022: all publishers of top-500 packages by dependents enrolled in enforced 2FA, followed by all publishers of high-impact packages enrolled in enforced 2FA.
The most important next step is to bring more 2FA options to npm publishers as quickly as we can without disrupting current workflows, and we are aiming to bring WebAuthn to the registry in April of 2022. We will have more updates in the new year with more explicit timelines, rollups of improvements, and details about how we plan to enforce 2FA for high-impact publishers. There is no time like the present to improve the security of your npm account, and you can follow the instructions in our documentation to enroll in 2FA today.