Using Two-Factor Authentication

To meet the increasing need for strong digital security, npm has introduced two-factor authentication (2FA). Two-factor authentication prevents unauthorized access to your account by confirming your identity using two methods. One factor is something you know, such as your username and password, the other factor is something you have, such as a phone or tablet device. For example, if your bank uses 2FA, the first time you logged in to your online banking system, the bank sent a code to your cell phone number, then prompted you to enter the code online, proving that the cell phone was in your possession and linking it to your account for authentication. After that, if the bank detects anything unusual, such as a login from a different laptop, it will send a temporary code to your phone that you must enter before you can login. This provides an extra layer of security because, even if someone obtains your login credentials, they are unlikely to have your device in their possession as well. Two-factor authentication multiplies the protection against attacks, and we recommend that you implement this with your npm account.


To enable 2FA with your npm account, you will need an application that can generate a One Time Password, or OTP. For example, Authy or Google Authenticator, can generate one time passwords (OTP's). These products use a Time-Based One-Time Password Algorithm (TOTP) to create temporary codes. Install the application on a mobile device or a second laptop that will always be available when you work in your npm account. (Note: npm does not use SMS (text-to-phone) as a method for authenticating users.)

Levels of Authentication

There are two levels of authentication, auth-only and auth-and-writes.

If you enable 2FA in auth-only mode, npm will require an OTP when you:

If you enable 2FA in auth-and-writes mode, which is the default, npm will require an OTP when you:

To add the OTP to a command, append it as shown:

npm owner add <user > --otp=123456

Other examples are listed below.

How Do I Enable 2FA?

To require two-factor authentication, type the command that meets the level of security you wish to apply (auth-and-writes is the default).

    npm profile enable-2fa
    npm profile enable-2fa auth-and-writes 
    npm profile enable-2fa auth-only

npm will return this message:

    > npm notice profile Enabling two factor authentication for auth-and-writes   

or this message:

  > npm notice profile Enabling two factor authentication for auth-only

depending on the setting you provided.

Next, npm will display a QR code:

Masked QR Code And Prompt

  1. Add a new account to your authenticator app.
  2. Scan the QR code, or enter the number displayed just below the QR code.

This will configure the authenticator app for future use, linking authentication to the device that generated the authentication.

Using your authenticator app, enter an OTP at the prompt shown:

    Add an OTP code from your authenticator:

After you have entered the one-time password, npm will display this message:

2FA successfully enabled. 
Below are your recovery codes, please print these out. 
You will need these to recover access to your account 
if you lose your authentication device.

Recovery Codes

As described above, after you set up two-factor authentication, a series of recovery codes will appear on your screen. Please print them and save them as described. Note: Some authenticator applications provide a method for you to store recovery codes.

>**WARNING**: Save these codes in a location that is not 
normally near the device you use to authenticate. 
If you lose the device, the codes are required to login. 
The recovery procedure is explained below.

How to Remove Two-Factor Authentication from your Profile

To remove 2FA from your profile, type this command:

    npm profile disable-2fa

npm will prompt for your password:

    > npm password:   

Enter your npm password as prompted, then npm will display:

   >Enter one-time password from your authenticator: 123456

npm will confirm:

   Two factor authentication disabled.   

How to Send an OTP Value from the Command Line

If you have enabled 2FA auth-and-writes, you will need to send the OTP from the command line for certain commands. To do this, append --otp=123456 (where 123456 is the code genearated by your authenticator) at the end of the command. Here are a few examples:

npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456
npm owner add <user > --otp=123456
npm owner rm <user> --otp=123456
npm dist-tags add <pkg>@<version> [<tag>] --otp=123456
npm access edit [<package>) --otp=123456
npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456

What to Do if You Misplace Your Second Device

If you cannot locate the device that provided second-factor authentication:

  1. Find the recovery codes you saved when you enabled 2FA.
  2. If you are logged out, login normally using your login and npm password. When prompted for an OTP, enter a recovery code.
  3. Once you are logged in, type npm profile disable-2fa and enter your npm password if prompted.
  4. Enter an unused recovery code when you see this prompt:
 >Enter one-time password from your authenticator: 
  1. npm will confirm that two-factor authenication has been disabled.
  2. type npm profile enable-2fa to re-enable 2FA, assign a different device to your account, and generate new recovery codes.

If you have misplaced your recovery codes, please contact npm customer support.


Settings you define using the Command Line Interface (CLI) will also apply to the website. At this time, you can only activate 2FA from the command line.

Last modified October 19, 2017           Found a typo? Send a pull request!

npm Services

Getting Started

How npm works

Private Modules


Using npm

CLI Commands

Configuring npm

npm policy documents

View All On One Page