Requiring 2FA for package publishing and settings modification

All packages now require two-factor authentication (2FA) or a granular access tokens with bypass 2FA enabled for creating and publishing packages.

Modifying a package's settings also requires two-factor authentication (2FA).

For CI/CD workflows, consider using trusted publishing, which provides secure, token-free publishing that automatically enforces strong authentication without requiring manual token management.

Configuring two-factor authentication on package settings

1. On the npm "Sign In" page, enter your account details and click Sign In.

2. Navigate to the package on which you want to require a second factor to publish or modify settings.

3. Click Settings.

   

4. Under "Publishing access", select the requirements to publish a package.

   1. Require two-factor authentication or a granular access token with bypass 2fa enabled (Default)
      This is the default option for all new packages. With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the npm publish command, they will be required to respond to a 2FA prompt when they perform the publish. However, maintainers may also create a granular access token with bypass 2FA enabled and use that for a non-interactive publish.
   2. Require two-factor authentication and disallow tokens (Recommended) With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to respond to a 2FA prompt when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting.
   

5 . Click Update Package Settings.

Edit this page on GitHub

10 contributorsshmamkarenjligeneralmimonleobalterdependabot[bot]lukekarrysericmuttamonishcmb4mbooethomson

Last edited by shmam on December 10, 2025