To meet the increasing need for strong digital security, npm has introduced two-factor authentication (2FA). Two-factor authentication prevents unauthorized access to your account by confirming your identity using two methods. One factor is something you know, such as your username and password, the other factor is something you have, such as a phone or tablet device. For example, if your bank uses 2FA, the first time you logged in to your online banking system, the bank sent a code to your cell phone number, then prompted you to enter the code online, proving that the cell phone was in your possession and linking it to your account for authentication. After that, if the bank detects anything unusual, such as a login from a different laptop, it will send a temporary code to your phone that you must enter before you can login. This provides an extra layer of security because, even if someone obtains your login credentials, they are unlikely to have your device in their possession as well. Two-factor authentication multiplies the protection against attacks, and we recommend that you implement this with your npm account.
To enable 2FA with your npm account, you will need an application that can generate a One Time Password, or OTP. For example, Authy or Google Authenticator, can generate one time passwords (OTP's). These products use a Time-Based One-Time Password Algorithm (TOTP) to create temporary codes. Install the application on a mobile device or a second laptop that will always be available when you work in your npm account. (Note: npm does not use SMS (text-to-phone) as a method for authenticating users.)
There are two levels of authentication, auth-only and auth-and-writes.
If you enable 2FA in auth-only mode, npm will require an OTP when you:
If you enable 2FA in auth-and-writes mode, which is the default, npm will require an OTP when you:
To add the OTP to a command, append it as shown:
npm owner add <user > --otp=123456
Other examples are listed below.
To require two-factor authentication, type the command that meets the level of security you wish to apply (auth-and-writes is the default).
npm profile enable-2fa npm profile enable-2fa auth-and-writes npm profile enable-2fa auth-only
npm will return this message:
> npm notice profile Enabling two factor authentication for auth-and-writes
or this message:
> npm notice profile Enabling two factor authentication for auth-only
depending on the setting you provided.
Next, npm will display a QR code:
This will configure the authenticator app for future use, linking authentication to the device that generated the authentication.
Using your authenticator app, enter an OTP at the prompt shown:
Add an OTP code from your authenticator:
After you have entered the one-time password, npm will display this message:
2FA successfully enabled. Below are your recovery codes, please print these out. You will need these to recover access to your account if you lose your authentication device.
As described above, after you set up two-factor authentication, a series of recovery codes will appear on your screen. Please print them and save them as described. Note: Some authenticator applications provide a method for you to store recovery codes.
>**WARNING**: Save these codes in a location that is not normally near the device you use to authenticate. If you lose the device, the codes are required to login. The recovery procedure is explained below.
To remove 2FA from your profile, type this command:
npm profile disable-2fa
npm will prompt for your password:
> npm password:
Enter your npm password as prompted, then npm will display:
>Enter one-time password from your authenticator: 123456
npm will confirm:
Two factor authentication disabled.
If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands. To do this, append
--otp=123456 (where 123456 is the code genearated by your authenticator) at the end of the command. Here are a few examples:
npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456 npm owner add <user > --otp=123456 npm owner rm <user> --otp=123456 npm dist-tags add <pkg>@<version> [<tag>] --otp=123456 npm access edit [<package>) --otp=123456 npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
If you cannot locate the device that provided second-factor authentication:
npm profile disable-2faand enter your npm password if prompted.
>Enter one-time password from your authenticator:
npm profile enable-2fato re-enable 2FA, assign a different device to your account, and generate new recovery codes.
If you have misplaced your recovery codes, please contact npm customer support.
Settings you define using the Command Line Interface (CLI) will also apply to the website. At this time, you can only activate 2FA from the command line.
Last modified December 13, 2017 Found a typo? Send a pull request!