npm enrolls Top 100 package maintainers into mandatory 2FA
npm, which is owned by GitHub, enforced this new security requirement starting yesterday, February 1, 2022.
“Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects,” the GitHub security team said in a blog post.
In many cases, the accounts are hacked because project maintainers use simple-to-guess passwords or reused passwords that were previously leaked via breaches at other companies.
The first phase of this process took place between December 7, 2021, and January 4, 2022, when the npm team rolled out a new feature called “enhanced login verification” for all npm package maintainers.
This new feature works by sending account owners a one-time passcode via email to all npm package owners when they log into their accounts.
At the time, npm announced future plans to make 2FA mandatory for all users in the future. This process started this week with the owners of the Top 100 most popular packages based on dependencies and will continue later this year with the owners of the Top 500 packages as well.
GitHub also plans to add WebAuthn support for npm accounts to allow project maintainers to use security keys to authenticate on the site beyond the email and SMS 2FA options they have right now.