Unable to Enable 2FA with Authenticator App - Option is Missing

[Alexzjt]

Select Topic Area

Bug

Body

Hi everyone,

I'm trying to set up two-factor authentication (2FA) on my npm account, but I'm unable to find the option to use an authenticator app (like Google Authenticator, Authy, etc.).

What I've Tried
I went to my account settings to enable 2FA. Initially, I thought the "Add Security Key" option was the correct way to link an authenticator app. I tried for a long time but failed in the end. See 181802

I asked a friend who already has 2FA enabled with an authenticator app to show me their settings page. Their page has a dedicated "Authenticator App" section, which clearly states: Authenticator app is configured.

However, this entire "Authenticator App" section is completely missing from my account settings page. There is no UI element for it at all.

Further Verification
To confirm this wasn't an issue specific to my old account, I registered a brand new npm account today to test the flow. During the 2FA setup process, the only option presented to me was to add a "Security Key". The choice to use an authenticator app was never offered.

My Questions
What is the correct procedure to enable 2FA using an authenticator app? Is there a different workflow I'm missing?
Is this a known bug, or is the feature intentionally unavailable for some accounts?
Could this be related to a feature flag or A/B testing, where the authenticator app option is only rolled out to a subset of users?
I would greatly appreciate any clarification or guidance on this. It seems like a fundamental security feature is not accessible.

Thank you for your time and help!

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[leobalter]

this is working as intended. As we informed in September, users can no longer config new TOTP 2fa methods. The Authenticator Apps was previously used for TOTP. Existing configurations are not removed yet, so that's why you could still see it before removing the one that was there.

You can create a new security key for a stronger 2fa method. TOTP is no needed that way.

[meretodev]

@fgatti675 Maybe your token expired?

Try to remove the config and log in again

When i removed my token i finally got prompted for f2a using npm 11.7.0

Obviously us users shouldn't be the ones to try and help each others, but here we are

[fgatti675]

@fgatti675 Maybe your token expired?

Try to remove the config and log in again

When i removed my token i finally got prompted for f2a using npm 11.7.0

Obviously us users shouldn't be the ones to try and help each others, but here we are

I appreciate it! The token is fine, I have also tried creating a new one.
I think this flow is fundamentally flawed or I am hitting a bug.

In any case I urge npm to fix this. This release is cutting too many corners.

In the code of the latest version of npm there is logic to prompt the user with:
? This operation requires a one-time password:

Which means something is wrong because it is absolutely impossible to get a token right now

[johnzook]

For others that dealt with finding and reading this INSANE thread with mostly garbage replies, the underlying fix is not going to come from NPM, although they triggered the behavior and imho, represents poor stewardship.

If you're using changesets for publishing, it's a known issue. changesets only supports OTP. NPM disabled the ability to create new OTP based security keys. Result, unable to publish using changesets unless you have an existing npmjs account with OTP enabled before they removed the option.

changeset issue (fingers crossed, release coming soon)
changesets/changesets#1773

There is a reason for the thumbs down on this accepted answer. It ignores that NPM disabled OTP before ensuring the toolchain didn't still require OTP. Thank you to @Andarist for working on the issue.

And using
npm publish

in directories to publish can get around it for now, but it bypasses the changesets workflow.

[qntm]

If you no longer accept TOTPs then why are you still prompting for TOTPs?

npm notice Publishing to https://registry.npmjs.org/ with tag latest and default access
npm error code EOTP
npm error This operation requires a one-time password from your authenticator.
npm error You can provide a one-time password by passing --otp=<code> to the command you ran.

Additionally, how does one npm publish a new version of a package using a security key instead? The documentation states

If you have enabled 2FA auth-and-writes, authentication will be handled automatically when using security-keys. For commands that require 2FA, you will be prompted to authenticate with your configured 2FA method.

This is not the case, you're still prompting for an OTP?

[giyucodes]

@fgatti675 First npm logout from the command line, create a granular token in the web interface with all permissions and bypass 2fa checked, set it using npm config set //registry.npmjs.org/:_authToken npm_yournewtokenhere and then try npm publish again. It worked for me as a workaround.

Thank you, I was using that workaround until this morning, when it suddently stopped working

so it did worked for me, I enabled my 2FA and saved the passkey in my iOS device, but while configuring the npm token it throws and error saying This command does not support workspaces , anyways I tried npm publish again, and this time it worked and asked for 2FA authentication and opened the browser window with QR code which I scanned from my device and I was able to publish my package, so we don't need any USB security key to publish or packages. This did worked for manual pkg publishing but not sure about automatically publish via CI/CD workflows.

[VictorPulzz]

They create endless problems. I always use TOTP for everything and have never been hacked anywhere. The problem with hacking is only a problem for people who don't know how to practice digital hygiene, and there, a security key is useless!
I want to have different authorization options. Not this brain drain!
Let me take care of my own security. Those fancy words, “we care about your security,” are usually used to the detriment of totalitarian regimes. I should have options for how I want to authenticate myself. My npm with a single package protecting a bunch of programs that are “of course unsafe” is absolute nonsense. If they want to hack, they will hack everyone and everywhere. It's just “opium for the people.” Enough with the empty talk, let users decide for themselves how to set up their own accounts!

[hyperstown]

I don't have physical security key, nor do I have fingerprint reader. Currently browser tells me to touch fingerprint which I don't have! I guess I'm not doing 2FA at all then! Thanks for making my account less secure!

[vanthome]

I simply don't want to and I think Auth apps are enough for the packages I publish, so what can I do?

[diegonc]

Nice, now I cannot upgrade my package. 😡

[josh-endries]

Wow what a horrible decision. You could at least warn people of this BEFORE they remove their 2FA app. I guess I'm done with NPM, or just not have 2FA, a much worse scenario. Nice one guys.

[Mte90]

So basically to upload a new package you need to buy a security usb device.

Ver yakward and impossible to do just for one service...

[diegonc]

I finally managed to upgrade my package by creating some PIN-💩. I don't even know how it worked, but it was somehow linked to the device OS (or browser, who knows).

I won't buy a security USB device just for this.

[skirtles-code]

I typically use KeePassXC for TOTP-based authentication. As others have noted, using TOTP is no longer possible, but KeePassXC also supports passkey-based 2FA, so I'm now using that for npm.

To be clear, you do not need to buy a USB security device or a fingerprint reader or anything else like that. I was able to get KeePassXC working on my laptop without buying any special hardware.

I don't doubt other software is available for this, but in case anyone else is interested in how I got it working...

The documentation for KeePassXC explains in detail the steps required to get passkeys working. The short version is:

1. Install KeePassXC and create a new database.
2. Install the KeePassXC browser extension.
3. Connect the extension to your database.
4. Turn on Enable Passkeys in the extension settings.

Then, when a website such as npmjs.com tries to use WebAuthn to prompt for 2FA, KeePassXC will intercept it and try to handle it. Previously I saw a message asking me to scan a QR code or tap my security key, but now I instead get a pop-up from KeePassXC.

To publish packages I tend to use trusted publishing for GitHub. That avoids the need to provide my passkey for each publish, but you still need 2FA enabled on your account to be able to use trusted publishing. However, I have also tested publishing a package manually and that also works with 2FA. Both npm login and npm publish prompt me with a website URL that allows me to authenticate via my KeePassXC passkey.

[tanveeeer-in]

Fix for npm publish 403 2FA issue (passkey flow)

I had the same issue when publishing a package. The fix was:

1.Go to npmjs.com on mobile
2.Enable Two-Factor Authentication / Passkey (biometric option)
3.Use fingerprint / Face ID to set it up
4.Run npm publish --access public
npm will open a browser authentication link
Open that link on your phone and approve login
Go back to terminal — publish completes successfully

It’s a bit messy flow, but it's the best solution I found to fix the issue.. i hope npmjs will add back authenticator app feature in future....