Why is npm getting rid of TOTP as 2FA authentication method?

[prahladyeri]

Select Topic Area

Question

Body

I've been aghast to know that npm is now phasing out TOTP as a legitimate 2FA method of authentication and replacing it with more intrusive and authoritarian methods like FIDO and Webauthn.

It's a bit perplexing that an organization that apparently stands up for Open Source as a way of life would introduce such a closed and walled garden approach of authentication which may not be accessible to everyone. Those on Linux Desktops such as Mint or Fedora, or those using an open source browser like Firefox, may not have access to these chosen new 2FA methods.

I'd also like to know what exactly is the issue with TOTP as an authentication system, what do the proponents of this new system think is wrong with it?

[gunavardhangolagani]

Hi @prahladyeri ,

The main reason npm is phasing out TOTP is security.
TOTP codes can still be phished or relayed in real time, and the shared secret can be stolen if your device is compromised. Recent supply-chain attacks on npm maintainers showed that even users with TOTP 2FA could be tricked into giving up their codes.

FIDO/WebAuthn (like hardware keys or passkeys) are phishing-resistant the private key never leaves your device and authentication is bound to the site’s domain, so it can’t be reused elsewhere.

That said, many developers share your concern about accessibility especially those on Linux or open-source browsers.
GitHub has said they’re working to improve cross-platform support, but for now FIDO/WebAuthn is considered the most secure option available.

[prahladyeri]

Thanks for the response.

TOTP codes can still be phished or relayed in real time

While this is true, it can be said about any kind of credential including emails and passwords, security codes, API tokens, OTPs, etc. Shouldn't it be the responsibility of a package maintainer or developer to ensure their own device security and not fall for phishing scams?

At most, NPM could suggest or recommend FIDO/WebAuthn while setting up the 2FA methods but having an all or none approach and removing TOTP option entirely seems going too far.

[vindicatorr]

Recent supply-chain attacks on npm maintainers showed that even users with TOTP 2FA could be tricked into giving up their codes.

Looks like they could then be tricked into giving up their passkey private key as well. POC with keepass allowing me to export the passkey, and I see the data in JSON with "privateKey".

private key never leaves your device and authentication is bound to the site’s domain, so it can’t be reused elsewhere.

Is the TOTP code not bound to the domain? They are the ones that issued it, no?

[3nprob]

FYI:

There is a community thread for this topic here: https://github.com/orgs/community/discussions/174505 (consider upvoting)

GitHub recently posted an update on their plans here: https://github.com/orgs/community/discussions/178140

[LeonMueller-OneAndOnly]

That the only 2FA method npm provides to users now are hardware keys is a HUGE security issue and achieves the opposite of the intended effect. Way fewer people are willing to use that...

[Yan-Santana]

That the only 2FA method npm provides to users now are hardware keys is a HUGE security issue and achieves the opposite of the intended effect. Way fewer people are willing to use that...

[Guten-Morgen1302]

Thanks for the question! npm is moving away from TOTP primarily due to security concerns and not because of any preference toward proprietary or “closed” systems.

TOTP codes can be phished or intercepted, especially during targeted supply-chain attacks. Attackers can trick users into entering their one-time codes on fake sites, or capture them in real time and immediately reuse them. For a large package ecosystem like npm, this risk is significant because account compromise can lead to widespread malicious package publication.

FIDO/WebAuthn-based 2FA provides strong protection against these attacks. These methods are phishing-resistant, since authentication is bound to the legitimate domain and the private key never leaves the user’s device. This is why many ecosystems (npm, GitHub, Google, GitLab, etc.) are standardizing around them.

Regarding accessibility:
WebAuthn support has expanded widely — Linux distributions and Firefox do support hardware keys and WebAuthn flows, but some setups may require additional configuration. npm is continuing to improve support and documentation for these environments.

To summarize:

Why phase out TOTP? It’s still better than nothing, but it’s vulnerable to phishing and real-time interception.

Why WebAuthn/FIDO? They are phishing-resistant, more secure for a large software registry, and now broadly supported across platforms.

Accessibility? The shift isn’t intended to exclude users; compatibility on Linux and open-source browsers is supported and continually improving.

Hope this helps clarify the reasoning behind the transition!

[LeonMueller-OneAndOnly]

Thank for the detailed answer. I agree with you that WebAuthn "Passkeys" provide stronger protection against phishing. But they are less adopted by users, especially in teams / organisations. Since sharing them is hard / not natively supported and therefore always leads to huge friction when wanting to share a master account, like one would typically do with NPM.

With the raising popularitry of NPM worms like Shai-Hulud 1 & 2 (https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack), the only effective solution forward is going to be to enforce / heavily recommend 2FA.

Blocking people from using a 2FA solution that they know & that works for them in their professional settings, is a very bad idea and i want to advocate strongly against it.

Encourage users to use these WebAuthn-Keys, but leave an option for classic TOTP-tokens.

My whole concern can be summarized by this:

P(phishing ∣ already uses 2FA) << P(no 2FA usage due to restrictions)