Configuring two-factor authentication
You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages.
Prerequisites
Before you enable 2FA on your npm user account, you must:
- Update your npm client to version 5.5.1 or higher.
- Install an authenticator application that can generate one-time passwords (such as Authy, Google Authenticator, or Microsoft Authenticator) on a mobile device or second computer that will always be available when you work in your npm account.
Note: npm does not accept SMS (text-to-phone) as a 2FA method.
Configuring 2FA on the web
Enabling 2FA on the web
- Log in to npm with your user account.
- In the upper right corner of the page, click your profile picture, then click Account.
-
On the profile settings page, under "Two-Factor Authentication", click Enable 2FA.
-
On the 2FA settings page, select the mode you would like to enable. For more information, see "Two-factor authentication modes on npm".
-
Click Submit.
Open your authenticator application on your phone, and, on the two-step verification page, scan the QR code with your phone.
-
Enter the code generated by the app, then click Verify.
On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager to save your recovery codes. If you are unable to access your phone, you will need to enter a recovery code when prompted for a one-time password.
-
Click Go back to settings.
Removing 2FA on the web
If you have 2FA enabled, you can remove it from your profile settings page.
- Log in to npm with your user account.
- In the upper right corner of the page, click your profile picture, then click Profile Settings.
-
On the profile settings page, under "Two-Factor Authentication", click Modify 2FA.
-
On the 2FA settings page, under "What should we protect?", select "Disable".
-
Click Submit.
Configuring 2FA from the command line
Enabling 2FA from the command line
Note: Settings you configure on the command line will also apply to your profile settings on the npm website.
- On the command line, type the
npm profile
command along with the option for the 2FA mode you want to enable:
- To enable 2FA for authorization and writes, type:
npm profile enable-2fa auth-and-writes
- To enable 2FA for authorization only, type:
npm profile enable-2fa auth-only
- To add npm to your authenticator application, using the device with the app, you can either:
- scan the QR code displayed on the command line.
- type the number displayed below the QR code.
- When prompted to add an OTP code from your authenticator, on the command line, enter a one-time password generated by your authenticator app.
Sending a one-time password from the command line
If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands to work. To do this, append --otp=123456
(where 123456 is the code generated by your authenticator) at the end of the command. Here are a few examples:
npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456npm owner add <user > --otp=123456npm owner rm <user> --otp=123456npm dist-tags add <pkg>@<version> [<tag>] --otp=123456npm access edit [<package>) --otp=123456npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
Removing 2FA from the command line
-
On the command line, type the following command:
npm profile disable-2fa -
When prompted, enter your npm password:
npm password:
-
When prompted for a one-time password, enter a password from your authenticator app:
Enter one-time password from your authenticator: 123456
Resolving OTP errors
If you are entering what seems to be a valid OTP but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an OTP from the wrong account will cause an error.
If you see an error when you enter a valid OTP, check that you are using the correct authenticator account.
Also, when you reset two-factor authentication after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.
© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.
https://docs.npmjs.com/configuring-two-factor-authentication