Requires npm version 5.5.1 or greater
To meet the increasing need for strong digital security, npm introduced two-factor authentication (2FA) with version 5.5.1. Two-factor authentication prevents unauthorized access to your account by confirming your identity using two methods:
For example, if your bank uses 2FA, the first time you logged in to your online banking system, the bank sent a code to your cell phone number, then prompted you to enter the code online. This proved that the cell phone was in your possession, and linked it to your account for authentication. After that, whenever the bank detects anything unusual, such as a login from a different laptop, it will send a temporary code to your phone that you must enter before you can login. This provides an extra layer of security because, even if someone obtains your login credentials, they are unlikely to have your device in their possession as well. Even if someone finds your phone, they are unlikely to also be able to hack your laptop's password.
Two-factor authentication multiplies the protection against attacks, and we recommend that you implement this with your npm account.
To enable 2FA with your npm account, you will need an application that can generate a One Time Password, or OTP. For example, Authy or Google Authenticator, can generate one time passwords (OTP's). These products use a Time-Based One-Time Password Algorithm (TOTP) to create temporary codes. Install the application on a mobile device or a second laptop that will always be available when you work in your npm account. (Note: npm does not use SMS (text-to-phone) as a method for authenticating users.)
There are two levels of authentication, auth-only and auth-and-writes.
If you enable 2FA in auth-only mode, npm will require an OTP when you:
If you enable 2FA in auth-and-writes mode, which is the default, npm will require an OTP when you:
To add the OTP to a command, append it as shown:
npm owner add <user > --otp=123456
Other examples are listed below.
To require two-factor authentication, type the command that meets the level of security you wish to apply (auth-and-writes is the default).
npm profile enable-2fa npm profile enable-2fa auth-and-writes npm profile enable-2fa auth-only
npm will return this message:
npm notice profile Enabling two factor authentication for auth-and-writes
or this message:
> npm notice profile Enabling two factor authentication for auth-only
depending on the setting you provided.
Next, npm will display a QR code:
This will configure the authenticator app for future use, linking authentication to the device that generated the authentication.
Using your authenticator app, enter an OTP at the prompt shown:
Add an OTP code from your authenticator:
After you have entered the one-time password, npm will display this message:
2FA successfully enabled. Below are your recovery codes, please print these out. You will need these to recover access to your account if you lose your authentication device.
After you have applied two-factor authentication, you can use the
npm profile get command to confirm that it has been set.
Once you have installed 2FA, you will need to enter an OTP for security-relevant commands. For example, whenever you use the command
npm profile set you will need to enter an OTP before you can set or change a value, such as your fullname:
$npm profile set fullname Carolyn A. Wombat Enter OTP: 567452 Set fullname to Carolyn A. Wombat
Use `npm profile get' to confirm the new setting.
Note to our readers: We have reset the account used in screen shots; neither the QR nor the codes are still active. But thank you to those alert and kind wombats who have asked us about this.
As described above, after you set up two-factor authentication, a series of recovery codes will appear on your screen. Please print them and save them as described. Note: Some authenticator applications provide a method for you to store recovery codes.
Tip: Save these codes in a different location than the device you use to authenticate. For example, if you get your OTP from a tablet, don't save the codes in a case with your tablet.
The recovery procedure is explained below.
To remove 2FA from your profile, type this command:
npm profile disable-2fa
npm will prompt for your password:
> npm password:
Enter your npm password as prompted, then npm will display:
>Enter one-time password from your authenticator: 123456
npm will confirm:
Two factor authentication disabled.
If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands. To do this, append
--otp=123456 (where 123456 is the code generated by your authenticator) at the end of the command. Here are a few examples:
npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456 npm owner add <user > --otp=123456 npm owner rm <user> --otp=123456 npm dist-tags add <pkg>@<version> [<tag>] --otp=123456 npm access edit [<package>) --otp=123456 npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
If you cannot locate the device that provided second-factor authentication:
npm profile disable-2faand enter your npm password if prompted.
>Enter one-time password from your authenticator:
npm profile enable-2fato re-enable 2FA, assign a different device to your account, and generate new recovery codes.
If you have misplaced your recovery codes, please contact npm customer support.
If you are entering what seems to be a valid OTP but you see an error, be sure that you are using the correct authenticator account. In the screen shot below, the current account in Authy was set incorrectly because the developer had multiple npm test accounts. This will cause the OTP to fail. Also, as stated earlier, when you reset 2fa after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.
Settings you define using the Command Line Interface (CLI) will also apply to the website. At this time, you cannot activate 2FA from web interface.
© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.