The Node Package Manager (npm) project announced the forced enrolment of mandatory 2FA (two-factor authentication) for the top 100 npm packages by dependents starting today, followed by all other publishers by March 1.
The npm announcement comes as no surprise. Just a couple of months ago, the project made its intentions regarding 2FA very clear. By the looks of it, many of the package maintainers didn’t comply with the request, and now the npm administrators have to take a more direct approach.
In the past, npm libraries have been a prime target for hackers and criminals. In some situations, they tricked users into installing fake libraries, but the main protection offered by 2FA is against man-in-the-middle attacks. The second layer of authentication goes a long way to prevent third parties from compromising projects with millions of downloads.
“Starting today, we are rolling out mandatory 2FA to our first cohort, all maintainers of top-100 npm packages by dependents, said npm manager Myles Borins. “Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects.”
The projects that npm administrators will initially enroll have packages with more than 1 million weekly downloads or 500 dependents. All npm accounts will be enrolled in enhanced login verification on March 1. For a week in February, all accounts will be enrolled for 24 hours so that customers aren’t entirely taken by surprise on March 1.
The project also intends to implement WebAuthn to allow for authentication via hardware keys and biometric devices. Some maintainer will most likely be taken by surprise, but 2FA on all npm accounts should discourage man-in-the-middle attacks and offer a more secure platform for Java libraries