undefined | Better HN

Skip to content

Top New Best Ask Show Jobs

0 pointsstaticassertion2mo ago0 comments

Yeah, NPM should be enforcing 2FA and likely phishing resistant 2FA for some packages/ this should be a real control, issuing public audit events for email address changes, and publish events should include information how it was published (trusted publishing, manual publish, etc).

0 comments

9 comments · 2 top-level

efilife2mo ago· 1 in thread

https://docs.npmjs.com/configuring-two-factor-authentication

> Important: Publishing to npm requires either: Two-factor authentication (2FA) enabled on your account, OR A granular access token with bypass 2FA enabled

staticassertionOP2mo ago

I'm assuming the author must have been grandfathered in to TOTP?

erikerikson2mo ago· 6 in thread

Instead they took away TOTP as a factor.

Scaling security with the popularity of a repo does seem like a good idea.

mayhemducks2mo ago

Are there downsides to doing this? This was my first thought - though I also recognize that first thoughts are often naive.

staticassertionOP2mo ago

You don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.

erikerikson2mo ago

TOTP although venerable was better than no second factor at all.

moebrowne2mo ago

TOTP isn't phishing resistant

erikerikson2mo ago

No it's not but it's better than nothing. Don't let the perfect be the enemy of the good.

staticassertionOP2mo ago

TOTP seems effectively useless for npm so that seems fine to me

j / k navigate · click thread line to collapse