About two-factor authentication
Table of contents
Two-factor authentication (2FA) protects against unauthorized access to your account by confirming your identity using:
- Something you know (e.g., a password).
- Something you have (e.g., an ID badge or a cryptographic key).
- Something you are (e.g., a fingerprint or other biometric data).
When you enable 2FA, you will be prompted for a second form of authentication before performing certain actions on your account or packages to which you have write access. You will be prompted to authenticate with a security-key.
- The security-key flow allows you to use biometric devices such as Apple Touch ID, Face ID or Windows Hello as well as physical keys such as Yubikey, Thetis or Feitian as your 2FA.
Note: Two-factor authentication provides the best possible security for your account against attackers. We strongly recommend enabling 2FA on your account as soon as possible after you sign up.
Important: Publishing to npm requires either:
- Two-factor authentication (2FA) enabled on your account, OR
- A granular access token with bypass 2FA enabled
For more information, see the npm documentation on requiring 2FA for package publishing.
Two-factor authentication on npm
Two-factor authentication on npm can be enabled for authorization and writes, or authorization only.
Authorization and writes
By default, 2FA is enabled for authorization and writes. We will request a second form of authentication for certain authorized actions, as well as write actions.
| Action | CLI command |
|---|---|
| Log in to npm | npm login |
| Change profile settings (including your password) | npm profile set |
| Change 2FA modes for your user account | npm profile enable-2fa auth-and-writes |
| Disable 2FA for your user account | npm profile disable-2fa |
| Create tokens | npm token create |
| Revoke tokens | npm token revoke |
| Publish packages | npm publish |
| Unpublish packages | npm unpublish |
| Deprecate packages | npm deprecate |
| Change package visibility | npm access public/restricted |
| Change user and team package access | npm access grant/revoke |
| Change package 2FA requirements | npm access 2fa-required/2fa-not-required |
Authorization only
If you enable 2FA for authorization only. We will request a second form of authentication only for certain authorized actions.
| Action | CLI command |
|---|---|
| Log in to npm | npm login |
| Change profile settings (including your password) | npm profile set |
| Change 2FA modes for your user account | npm profile enable-2fa auth-only |
| Disable 2FA for your user account | npm profile disable-2fa |
| Create tokens | npm token create |
| Revoke tokens | npm token revoke |
