GitHub announces enhanced 2FA experience for npm accounts

Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts.

Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register “multiple second factors, such as security keys, biometric devices, and authentication applications.”

It has also introduced a new 2FA configuration menu that allows users to manage registered keys and recovery codes.

Additional features available starting today include the ability to view and regenerate recovery codes and full command-line interface (CLI) support.

Those enrolled in this public beta will be able to log in and publish via the CLI using physical security keys and biometric devices.

These changes come after a December rollout of enhanced login verification to all npm publishers in response to a massive series of account takeovers.

Two months later, GitHub enforced 2FA for all publishers of the top-100 packages by dependent, with all publishers of top-500 and high-impact packages enrolled in early 2022.

2FA roll-out across the platform

GitHub also revealed last week that all active code contributors (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts until the end of next year.

Developers can use multiple 2FA options to secure their accounts, including physical security keys, virtual security keys built into devices like phones or laptops, and Time-based One-Time Password (TOTP) authenticator apps.

Although SMS-based 2FA is also an option (only in some countries), GitHub urged users to switch to security keys or TOTPs, given that threat actors can bypass SMS 2FA or steal auth tokens sent over SMS.

GitHub also improved account security over the years by adding sign-in alerts, two-factor authentication, and WebAuthn support.

Today’s public beta push towards increased npm account security is GitHub’s latest step to protect the software supply chain from attacks by moving away from basic password-based auth.