Configuring two-factor authentication

You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages.

Prerequisites

Before you enable 2FA on your npm user account, you must:

  • Update your npm client to version 5.5.1 or higher.
  • Install an authenticator application that can generate one-time passwords (such as Authy, Google Authenticator, or Microsoft Authenticator) on a mobile device or second computer that will always be available when you work in your npm account.

Note: npm does not accept SMS (text-to-phone) as a 2FA method.

Configuring 2FA on the web

Enabling 2FA on the web

  1. Log in to npm with your user account.
    Screenshot of npm login dialog
  2. In the upper right corner of the page, click your profile picture, then click Account.
    Screenshot of account settings selection in user menu

  3. On the profile settings page, under "Two-Factor Authentication", click Enable 2FA.

    Screenshot showing Enable 2FA button

  4. On the 2FA settings page, select the mode you would like to enable. For more information, see "Two-factor authentication modes on npm".

    Screenshot showing 2FA types

  5. Click Submit.

    Screenshot showing 2FA submit button

  6. Open your authenticator application on your phone, and, on the two-step verification page, scan the QR code with your phone.

  7. Enter the code generated by the app, then click Verify.

    Screenshot showing 2FA verification

  8. On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager to save your recovery codes. If you are unable to access your phone, you will need to enter a recovery code when prompted for a one-time password.

  9. Click Go back to settings.

    Screenshot showing the Go back to settings button

Removing 2FA on the web

If you have 2FA enabled, you can remove it from your profile settings page.

  1. Log in to npm with your user account.
    Screenshot of npm login dialog
  2. In the upper right corner of the page, click your profile picture, then click Profile Settings.
    Screenshot of profile settings selection in user menu

  3. On the profile settings page, under "Two-Factor Authentication", click Modify 2FA.

    Screenshot showing Modify 2FA button

  4. On the 2FA settings page, under "What should we protect?", select "Disable".

    Screenshot showing Disable 2FA button

  5. Click Submit.

    Screenshot showing Disable 2FA submit button

Configuring 2FA from the command line

Enabling 2FA from the command line

Note: Settings you configure on the command line will also apply to your profile settings on the npm website.

  1. On the command line, type the npm profile command along with the option for the 2FA mode you want to enable:
  • To enable 2FA for authorization and writes, type:
    npm profile enable-2fa auth-and-writes
  • To enable 2FA for authorization only, type:
    npm profile enable-2fa auth-only
  1. To add npm to your authenticator application, using the device with the app, you can either:
  • scan the QR code displayed on the command line.
  • type the number displayed below the QR code.
  1. When prompted to add an OTP code from your authenticator, on the command line, enter a one-time password generated by your authenticator app.

Sending a one-time password from the command line

If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands to work. To do this, append --otp=123456 (where 123456 is the code generated by your authenticator) at the end of the command. Here are a few examples:

npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456
npm owner add <user > --otp=123456
npm owner rm <user> --otp=123456
npm dist-tags add <pkg>@<version> [<tag>] --otp=123456
npm access edit [<package>) --otp=123456
npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456

Removing 2FA from the command line

  1. On the command line, type the following command:

    npm profile disable-2fa

  2. When prompted, enter your npm password:

    npm password:

  3. When prompted for a one-time password, enter a password from your authenticator app:

    Enter one-time password from your authenticator: 123456

Resolving OTP errors

If you are entering what seems to be a valid OTP but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an OTP from the wrong account will cause an error.

If you see an error when you enter a valid OTP, check that you are using the correct authenticator account.

Also, when you reset two-factor authentication after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.

© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.
https://docs.npmjs.com/configuring-two-factor-authentication