loading...

How to improve your npm identity security with 2FA and Tokens

lirantal profile image Liran Tal ・2 min read

Enable 2FA

In October 2017, npm officially announced support for two-factor authentication (2FA) for developers using the npm registry to host their closed and open source packages.

Even though 2FA has been supported on the npm registry for a while now, it seems to be slowly adopted with one example being the eslint-scope incident in mid-2018 when a stolen developer account on the ESLint team lead to a malicious version of eslint-scope being published by bad actors.

The registry supports two modes for enabling 2FA in a user’s account:

  • Authorization-only—when a user logs in to npm via the website or the CLI, or performs other sets of actions such as changing profile information.
  • Authorization and write-mode—profile and log-in actions, as well as write actions such as managing tokens and packages, and minor support for team and package visibility information.

Equip yourself with an authentication application, such as Google Authentication, which you can install on a mobile device, and you’re ready to get started.

One easy way to get started with the 2FA extended protection for your account is through npm’s user interface, which allows enabling it very easily. If you’re a command line person, it’s also easy to enable 2FA when using a supported npm client version (>=5.5.1):

$ npm profile enable-2fa auth-and-writes

Follow the command line instructions to enable 2FA, and to save emergency authentication codes. If you wish to enable 2FA mode for login and profile changes only, you may replace the auth-and-writes with auth-only in the code as it appears above.

Use npm author tokens

Every time you log in with the npm CLI, a token is generated for your user and authenticates you to the npm registry. Tokens make it easy to perform npm registry-related actions during CI and automated procedures, such as accessing private modules on the registry or publishing new versions from a build step.

Tokens can be managed through the npm registry website, as well as using the npm command line client.

An example of using the CLI to create a read-only token that is restricted to a specific IPv4 address range is as follows:

$ npm token create --read-only --cidr=192.0.2.0/24

To verify which tokens are created for your user or to revoke tokens in cases of emergency, you can use npm token list or npm token revoke respectively.

--

I also blogged about a complete 10 npm security best practices you should adopt in a post that includes a high-resolution printable PDF like the snippet you see below.

Thanks for reading and to Juan Picado from the Verdaccio team who worked with me on it. Check it out

Node Version

Posted on by:

lirantal profile

Liran Tal

@lirantal

🥑 Developer Advocate @snyksec | @NodeJS Security WG | @TheSecureDev team | @jsheroes ambassador | Author of Essential Node.js Security | Let's talk! 😉 ❤️

Discussion

markdown guide
 

Isn't it authentication? Not authorization? The user is permitted to do such actions, like changing their profile. BUT they need to authenticate themselves first. Just wondering because 2FA is Two Factor Authentication. And there is Authentication apps, like Google Authenticator. You're using authentication to authorize an action?

Sometimes I have troubles with authentication and authorization, not because the words are very similar but they kinda hold each other's hands.

 

Thanks Tari. The lingo of "Authorization-only" and such is as the official npm docs are describing it. See: docs.npmjs.com/about-two-factor-au...

I agree that this is somewhat confusing.

 

But hey! Thanks for the heads up. Nice article.