You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages.
Before you enable 2FA on your npm user account, you must:
Note: npm does not accept SMS (text-to-phone) as a 2FA method.
On the profile settings page, under "Two-Factor Authentication", click Enable 2FA.
On the 2FA settings page, select the mode you would like to enable. For more information, see "Two-factor authentication modes on npm".
Open your authenticator application on your phone, and, on the two-step verification page, scan the QR code with your phone.
Enter the code generated by the app, then click Verify.
On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager to save your recovery codes. If you are unable to access your phone, you will need to enter a recovery code when prompted for a one-time password.
Click Go back to settings.
If you have 2FA enabled, you can remove it from your profile settings page.
On the profile settings page, under "Two-Factor Authentication", click Modify 2FA.
On the 2FA settings page, under "What should we protect?", select "Disable".
Note: Settings you configure on the command line will also apply to your profile settings on the npm website.
npm profilecommand along with the option for the 2FA mode you want to enable:
npm profile enable-2fa auth-and-writes
npm profile enable-2fa auth-only
If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands to work. To do this, append
--otp=123456 (where 123456 is the code generated by your authenticator) at the end of the command. Here are a few examples:
npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456npm owner add <user > --otp=123456npm owner rm <user> --otp=123456npm dist-tags add <pkg>@<version> [<tag>] --otp=123456npm access edit [<package>) --otp=123456npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
On the command line, type the following command:
npm profile disable-2fa
When prompted, enter your npm password:
When prompted for a one-time password, enter a password from your authenticator app:
Enter one-time password from your authenticator: 123456
If you are entering what seems to be a valid OTP but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an OTP from the wrong account will cause an error.
If you see an error when you enter a valid OTP, check that you are using the correct authenticator account.
Also, when you reset two-factor authentication after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.