Forthcoming Npm Update Will Add Two-Factor Authentication – InApps 2022

Npm, the de facto Node.js repository, is integrating support for two-factor authentication in its upcoming 5.5.1 release. This change brings with it additional granular control for security tokens, which can now be set to read-only. The update also includes the much-anticipated ability to change a user email and password from the command-line, instead of requiring a visit to the npm website.

Two-factor authentication requires not only a user name and password but also an additional form of authentication, such as, in npm’s case, a security token placed on a mobile phone, or within another application. This security technology is now table stakes for today’s developer-centered service providers, said CJ Silverio, npm Inc. chief technology officer, noting that two-factor authentication is already in place at GitHub, Gmail, and AWS.

“I’ve been wanting to do this from the first moment I started at npm in 2014. We needed to have two-factor authentication, like all the other tools we use. You get an account on GitHub, you set up two-factor authentication. You get an account on AWS, you turn on two-factor authentication. That’s just what you do. You make it a little bit harder for people to steal your credentials.”

Silverio also said that npm is the first package manager to include two-factor authentication.

With these capabilities, said Silverio, comes, “Better control of npm auth tokens. You can generate a read-only token for use with your testing CI service. You can limit the scope of powers you give to your authentication tokens. If you’re testing on Travis CI, you can give Travis a read-only token. If you leak it, which happens frighteningly more often than it should, it’s something that can read and not publish.”

That also means users with their own packages inside of the npm registry can authenticate their identity when making changes to software that is likely used by thousands of JavaScript developers.

Coupled with npm’s introduction of its Orgs package organization capability, which allows enterprises (and others) to delineate their own namespace within the npm registry to create a blessed corporate selection of libraries for their developers, this will push further security for enterprise users.

Eventually, the plan, said Silverio, is, “To have an Orgs turn-on require two-factor authentication of the for all people in it. That’s a feature we are almost certainly going to ship in our next minor release: requiring two-factor authentication for publishing specific packages.”

So while not everyone will be required to use two-factor authentications quite yet, for the larger, more popular projects inside npm, two-factor is going to become the norm.

Silverio also intimated that coming releases of npm will include further granularization of the controls around auth tokens, giving teams better control over each individual user and usage of their software. The team is also working on some performance improvements for npm overall.

Feature image via Pixabay.