Comment by staticassertion

24 days ago

Yeah, NPM should be enforcing 2FA and likely phishing resistant 2FA for some packages/ this should be a real control, issuing public audit events for email address changes, and publish events should include information how it was published (trusted publishing, manual publish, etc).

16 comments

staticassertion

efilife 23 days ago

https://docs.npmjs.com/configuring-two-factor-authentication

> Important: Publishing to npm requires either: Two-factor authentication (2FA) enabled on your account, OR A granular access token with bypass 2FA enabled

staticassertion 23 days ago

I'm assuming the author must have been grandfathered in to TOTP?

erikerikson 24 days ago

Instead they took away TOTP as a factor.

Scaling security with the popularity of a repo does seem like a good idea.

mayhemducks 24 days ago
Are there downsides to doing this? This was my first thought - though I also recognize that first thoughts are often naive.
- staticassertion 24 days ago
  
  You don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.
- erikerikson 24 days ago
  
  TOTP although venerable was better than no second factor at all.
moebrowne 24 days ago
TOTP isn't phishing resistant
- erikerikson 24 days ago
  
  No it's not but it's better than nothing. Don't let the perfect be the enemy of the good.
  
  7 replies →
staticassertion 24 days ago

TOTP seems effectively useless for npm so that seems fine to me