All npm accounts are now enrolled in login verification

All npm accounts that do not have two-factor authentication (2FA) enabled will now receive an email with a one-time password (OTP) when authenticating through either the npmjs.com website or the npm CLI. The emailed OTP must be provided, in addition to a user’s password, before authenticating. This extra layer of authentication helps prevent common account takeover attacks, such as credential stuffing, which utilize a user’s compromised and reused password. It is worth noting that enhanced login verification is intended to be an additional baseline protection for all publishers. It is not a replacement for 2FA, such as time-based one-time passwords (TOTP), WebAuthn, or other methods described by NIST 800-63B. We encourage maintainers to opt-in to 2FA authentication. In doing so, you will not need to perform enhanced login verification.

You can read more about enhanced login verification in our documentation and blog.

AUG.16Release
Download data stored in your npm account by placing an export request
- npm
APR.21Improvement
Support for CORS response headers
- npm
APR.12Improvement
npm recovery code user experience improvement
- npm
APR.12Improvement
Streamlined Organization and Package invitations
- npm
MAR.15Retired
deprecating the npm public roadmap
- npm
JAN.12Improvement
Security-focused improvements for npm
- npm
NOV.16Retired
Deprecating non-audit-related advisory fetch endpoints for the npmjs.com registry API
- npm
OCT.7Improvement
npm CLI upgraded to version 8
- npm
SEP.23Improvement
npm has a new access token format
- npm

All npm accounts are now enrolled in login verification

Related Posts

Subscribe to our developer newsletter