Skip to content
npm Docs
npmjs.comStatusSupport
About npm
Getting started
Setting up your npm user account
Creating a new user account on the public registryCreating a strong passwordReceiving a one-time password over emailAbout two-factor authenticationConfiguring two-factor authenticationAccessing npm using two-factor authenticationRecovering your 2FA-enabled account
Managing your npm user account
Paying for your npm user account
Configuring your local environment
Troubleshooting
Packages and modules
Integrations
Organizations
Policies
Threats and Mitigations
npm CLI

About two-factor authentication

Table of contents
Table of contents

Two-factor authentication (2FA) protects against unauthorized access to your account by confirming your identity using:

  • Something you know (e.g., a password).
  • Something you have (e.g., an ID badge or a cryptographic key).
  • Something you are (e.g., a fingerprint or other biometric data).

Note: The security-key flow using WebAuthn is currently in beta.

When you enable 2FA, you will be prompted for a second form of authentication before performing certain actions on your account or packages to which you have write access. Depending on your 2FA configuration you will be either prompted to authenticate with a security-key or a time-based one-time password (TOTP).

Note: Two-factor authentication provides the best possible security for your account against attackers. We strongly recommend enabling 2FA on your account as soon as possible after you sign up.

Two-factor authentication on npm

Two-factor authentication on npm can be enabled for authorization and writes, or authorization only.

Authorization and writes

By default, 2FA is enabled for authorization and writes. We will request a second form of authentication for certain authorized actions, as well as write actions.

ActionCLI command
Log in to npmnpm login
Change profile settings (including your password)npm profile set
Change 2FA modes for your user accountnpm profile enable-2fa auth-and-writes
Disable 2FA for your user accountnpm profile disable-2fa
Create tokensnpm token create
Revoke tokensnpm token revoke
Publish packagesnpm publish
Unpublish packagesnpm unpublish
Deprecate packagesnpm deprecate
Change package visibilitynpm access public/restricted
Change user and team package accessnpm access grant/revoke
Change package 2FA requirementsnpm access 2fa-required/2fa-not-required

Authorization only

If you enable 2FA for authorization only. We will request a second form of authentication only for certain authorized actions.

ActionCLI command
Log in to npmnpm login
Change profile settings (including your password)npm profile set
Change 2FA modes for your user accountnpm profile enable-2fa auth-only
Disable 2FA for your user accountnpm profile disable-2fa
Create tokensnpm token create
Revoke tokensnpm token revoke
Edit this page on GitHub