Configuring two-factor authentication

You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages.

Prerequisites

Before you enable 2FA on your npm user account, you must:

Note: npm does not accept SMS (text-to-phone) as a 2FA method.

Configuring 2FA on the web

Enabling 2FA on the web

  1. Log in to npm with your user account. npm login dialog with username and password fields filled in
  2. In the upper right corner of the page, click your profile picture, then click Profile Settings. npm avatar menu with selector over profile settings list item
  3. On the profile settings page, under “Two Factor Authentication”, click Enable 2FA. enable 2FA button
  4. On the 2FA settings page, select the mode you would like to enable. For more information, see “Two-factor authentication modes on npm”. authorization and publishing radio button selected
  5. Click Submit. submit button
  6. Open your authenticator application on your phone, and, on the two-step verification page, scan the QR code with your phone.
  7. Enter the code generated by the app, then click Verify. verify button for 2fa authentication code form
  8. On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager to save your recovery codes. If you are unable to access your phone, you will need to enter a recovery code when prompted for a one-time password.
  9. Click Go back to settings. go back to settings button

Removing 2FA on the web

If you have 2FA enabled, you can remove it from your profile settings page.

  1. Log in to npm with your user account. npm login dialog with username and password fields filled in
  2. In the upper right corner of the page, click your profile picture, then click Profile Settings. npm avatar menu with selector over profile settings list item
  3. On the profile settings page, under “Two Factor Authentication”, click Modify 2FA. modify 2fa button
  4. On the 2FA settings page, under “What should we protect?”, select “Disable”. disable radio button selected
  5. Click Submit. submit button

Configuring 2FA from the command line

Enabling 2FA from the command line

Note: Settings you configure on the command line will also apply to your profile settings on the npm website.
  1. On the command line, type the npm profile command along with the option for the 2FA mode you want to enable:
    • To enable 2FA for authorization and writes, type:
      npm profile enable-2fa auth-and-writes
    • To enable 2FA for authorization only, type:
      npm profile enable-2fa auth-only
  2. To add npm to your authenticator application, using the device with the app, you can either:
    • scan the QR code displayed on the command line.
    • type the number displayed below the QR code.
  3. When prompted to add an OTP code from your authenticator, on the command line, enter a one-time password generated by your authenticator app.

Sending a one-time password from the command line

If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands to work. To do this, append --otp=123456 (where 123456 is the code generated by your authenticator) at the end of the command. Here are a few examples:

npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456
npm owner add <user > --otp=123456
npm owner rm <user> --otp=123456
npm dist-tags add <pkg>@<version> [<tag>] --otp=123456
npm access edit [<package>) --otp=123456
npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456

Removing 2FA from the command line

  1. On the command line, type the following command:
    npm profile disable-2fa
    
  2. When prompted, enter your npm password:
     > npm password:   
    
  3. When prompted for a one-time password, enter a password from your authenticator app:
    >Enter one-time password from your authenticator: 123456
    

Resolving OTP errors

If you are entering what seems to be a valid OTP but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an OTP from the wrong account will cause an error.

If you see an error when you enter a valid OTP, check that you are using the correct authenticator account.

Also, when you reset 2fa after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.


< About two-factor authentication | Recovering your 2FA-enabled account >