Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to the npm registry to make two-factor authentication (2FA) adoption easier for developers. Today, we are launching a public beta for a significantly improved 2FA experience to all npm accounts, including:

    • Support for registering multiple second factors, such as security keys, biometric devices, and authentication applications
    • A new 2FA configuration menu to manage keys and recovery codes
    • Full CLI support for login and publish capabilities with physical security keys and biometric devices
    • Ability to view and regenerate recovery codes

Animation showing sign in process with 2FA for npm.

On February 1, we enrolled all maintainers of the top-100 npm packages into mandatory 2FA. On May 31, we will enroll the next cohort in mandatory 2FA—maintainers of the top-500 packages. The final cohort will be high-impact maintainers of packages with more than one million weekly downloads or 500 dependents later this year.

Prior to enrolling all high-impact maintainers in 2FA, we will:

  • Streamline the process of logging in and publishing with WebAuthn
  • Improve the account recovery process, including more secure forms of identity verification

To learn more about configuring 2FA, see Configuring two-factor authentication.
To learn more about 2FA in general, see About two-factor authentication.
For questions and comments, open a discussion in our feedback repository.