Skip to content
npm Docs
npmjs.comStatusSupport
About npm
Getting started
Setting up your npm user account
Creating a new user account on the public registryCreating a strong passwordReceiving a one-time password over emailAbout two-factor authenticationConfiguring two-factor authenticationAccessing npm using two-factor authenticationRecovering your 2FA-enabled account
Managing your npm user account
Paying for your npm user account
Configuring your local environment
Troubleshooting
Packages and modules
Integrations
Organizations
Policies
Threats and Mitigations
npm CLI

Recovering your 2FA-enabled account

Table of contents
Table of contents

When you have two-factor access enabled on your account, and you lose access to your 2FA device, you may be able to recover your account using the following methods.

Misplaced second factor device

If you have misplaced the device that provided second-factor authentication, you can use the recovery codes generated when you enabled 2FA to access your account.

Using recovery code on the web

  1. Locate the recovery codes generated that you have saved.

  2. Log in to npm with your user account.
    Screenshot of npm login dialog

  3. Click on "Use recovery code" from the next screen

    Screenshot showing Security Key prompt with a link to navigate to the recovery code input screen

    Note: If you have configured to use TOTP, you will see an TOTP prompt instead

  4. Enter an unused recovery code in the "Use a Recovery Code" prompt

    Screenshot showing use a recovery code prompt with an input box to enter the recovery code

  5. You are now logged into npm.

  6. Follow the steps mentioned in "Removing 2FA on the web" to disable 2FA

Using recovery code from the command line

  1. Locate the recovery codes generated when you enabled 2FA on your account.

  2. If you are logged out on the command line, log in using npm login command with your username and npm password.

  3. Enter an unused recovery code when you see this prompt:

    Enter one-time password:

  4. Once you are logged in, use the below and enter your npm password if prompted. 

    npm profile disable-2fa

  5. Enter another unused recovery code when you see this prompt:

    Enter one-time password:

  6. npm will confirm that two-factor authentication has been disabled.

  7. Follow the steps outlined in "Configuring two-factor authentication" to re-enable 2FA and generate new recovery codes.

Note: Using the recovery codes to re-enable 2FA may create a new authenticator account with the same npm account name.

If you are using a time-based one-time password (TOTP) mobile app and want to delete the old authenticator account, follow the steps for the authenticator.

Viewing and regenerating recovery code

Note: Once you regenerate a set of code, all previous recovery codes become invalid. Each code can be used only once.

  1. Log in to npm with your user account.
    Screenshot of npm login dialog
  2. In the upper right corner of the page, click your profile picture, then click Account.
    Screenshot of account settings selection in user menu

  3. On the account settings page, under "Two-Factor Authentication", click Modify 2FA.

    Screenshot showing Modify 2FA button

  4. Click "Manage Recovery Codes'' to view your recovery codes

    Screenshot showing existing recovery codes and a button to generate set of recovery codes

  5. Click "Regenerate Code" to generate a new set of codes.

Misplaced recovery codes

If you have misplaced both the device that provided second-factor authentication and your recovery codes, we may be unable to help you recover your account. If you have any questions, please contact npm Support.

Edit this page on GitHub