How to require two-factor authentication for package publishing and settings modification

To protect your packages, as a package publisher, you can require everyone who has write access to a package to provide a one-time password in addition to their login token when they publish the package to the registry or modify package settings.

To publish or modify a package with the two factor authentication (2FA) setting enabled, a publisher must have 2FA enabled on their user account with "Authorization and Publishing" selected. For more information, see "How to use two-factor authentication".

Note: Currently, publishing a package with 2FA enabled on CI is not possible. For more secure CI publishing, enable 2FA on the npm account used for CI, and select "Authorization" only, and create a CIDR-restricted token for CI by following the steps in "Working with tokens".

  1. Log in to https://www.npmjs.com/.
  2. Navigate to the package on which you want to require a second factor to publish or modify settings.
  3. Click Admin.
  4. Under "Package Access", select "Require Two Factor Authentication to publish or modify settings"
  5. Click Update Package Settings.

© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.