Privacy Ninja

GitHub Announces Enhanced 2FA Experience for npm Accounts

GitHub Announces Enhanced 2FA Experience for npm Accounts

Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts.

Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register “multiple second factors, such as security keys, biometric devices, and authentication applications.”

It has also introduced a new 2FA configuration menu that allows users to manage registered keys and recovery codes.

Additional features available starting today include the ability to view and regenerate recovery codes and full command-line interface (CLI) support.

Also Read: How a Smart Contract Audit Works and Why it is Important

Those enrolled in this public beta will be able to log in and publish via the CLI using physical security keys and biometric devices.

These changes come after a December rollout of enhanced login verification to all npm publishers in response to a massive series of account takeovers.

Two months later, GitHub enforced 2FA for all publishers of the top-100 packages by dependent, with all publishers of top-500 and high-impact packages enrolled in early 2022.

npm 2FA
Image: GitHub

2FA roll-out across the platform

GitHub also revealed last week that all active code contributors (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts until the end of next year.

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

Developers can use multiple 2FA options to secure their accounts, including physical security keys, virtual security keys built into devices like phones or laptops, and Time-based One-Time Password (TOTP) authenticator apps.

Although SMS-based 2FA is also an option (only in some countries), GitHub urged users to switch to security keys or TOTPs, given that threat actors can bypass SMS 2FA or steal auth tokens sent over SMS.

GitHub also improved account security over the years by adding sign-in alertstwo-factor authentication, and WebAuthn support.

Today’s public beta push towards increased npm account security is GitHub’s latest step to protect the software supply chain from attacks by moving away from basic password-based auth.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us