Unable to Enable 2FA with Authenticator App - Option is Missing

[Alexzjt]

Select Topic Area

Bug

Body

Hi everyone,

I'm trying to set up two-factor authentication (2FA) on my npm account, but I'm unable to find the option to use an authenticator app (like Google Authenticator, Authy, etc.).

What I've Tried
I went to my account settings to enable 2FA. Initially, I thought the "Add Security Key" option was the correct way to link an authenticator app. I tried for a long time but failed in the end. See 181802

I asked a friend who already has 2FA enabled with an authenticator app to show me their settings page. Their page has a dedicated "Authenticator App" section, which clearly states: Authenticator app is configured.

However, this entire "Authenticator App" section is completely missing from my account settings page. There is no UI element for it at all.

Further Verification
To confirm this wasn't an issue specific to my old account, I registered a brand new npm account today to test the flow. During the 2FA setup process, the only option presented to me was to add a "Security Key". The choice to use an authenticator app was never offered.

My Questions
What is the correct procedure to enable 2FA using an authenticator app? Is there a different workflow I'm missing?
Is this a known bug, or is the feature intentionally unavailable for some accounts?
Could this be related to a feature flag or A/B testing, where the authenticator app option is only rolled out to a subset of users?
I would greatly appreciate any clarification or guidance on this. It seems like a fundamental security feature is not accessible.

Thank you for your time and help!

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[leobalter]

this is working as intended. As we informed in September, users can no longer config new TOTP 2fa methods. The Authenticator Apps was previously used for TOTP. Existing configurations are not removed yet, so that's why you could still see it before removing the one that was there.

You can create a new security key for a stronger 2fa method. TOTP is no needed that way.

[fgatti675]

Just to clarity, if I try to deploy I get asked to enter a OTP I don't have.
I get sent here: https://docs.npmjs.com/accessing-npm-using-2fa
which I assume is outdated. If I follow the isntructions I don't get a OTP because I have a passkey.
So no publishing for me.
The workaround of the npm token was working until a few hours ago, and the it stopped.
I need a solution URGENTLY

Can you try to run

npm -v

~ npm -v
11.7.0

[fgatti675]

@fgatti675 First npm logout from the command line, create a granular token in the web interface with all permissions and bypass 2fa checked, set it using npm config set //registry.npmjs.org/:_authToken npm_yournewtokenhere and then try npm publish again. It worked for me as a workaround.

Thank you, I was using that workaround until this morning, when it suddently stopped working

[meretodev]

@fgatti675 Maybe your token expired?

Try to remove the config and log in again

When i removed my token i finally got prompted for f2a using npm 11.7.0

Obviously us users shouldn't be the ones to try and help each others, but here we are

[fgatti675]

@fgatti675 Maybe your token expired?

Try to remove the config and log in again

When i removed my token i finally got prompted for f2a using npm 11.7.0

Obviously us users shouldn't be the ones to try and help each others, but here we are

I appreciate it! The token is fine, I have also tried creating a new one.
I think this flow is fundamentally flawed or I am hitting a bug.

In any case I urge npm to fix this. This release is cutting too many corners.

In the code of the latest version of npm there is logic to prompt the user with:
? This operation requires a one-time password:

Which means something is wrong because it is absolutely impossible to get a token right now

[johnzook]

For others that dealt with finding and reading this INSANE thread with mostly garbage replies, the underlying fix is not going to come from NPM, although they triggered the behavior and imho, represents poor stewardship.

If you're using changesets for publishing, it's a known issue. changesets only supports OTP. NPM disabled the ability to create new OTP based security keys. Result, unable to publish using changesets unless you have an existing npmjs account with OTP enabled before they removed the option.

changeset issue (fingers crossed, release coming soon)
changesets/changesets#1773

There is a reason for the thumbs down on this accepted answer. It ignores that NPM disabled OTP before ensuring the toolchain didn't still require OTP. Thank you to @Andarist for working on the issue.

And using
npm publish

in directories to publish can get around it for now, but it bypasses the changesets workflow.

[VictorPulzz]

They create endless problems. I always use TOTP for everything and have never been hacked anywhere. The problem with hacking is only a problem for people who don't know how to practice digital hygiene, and there, a security key is useless!
I want to have different authorization options. Not this brain drain!
Let me take care of my own security. Those fancy words, “we care about your security,” are usually used to the detriment of totalitarian regimes. I should have options for how I want to authenticate myself. My npm with a single package protecting a bunch of programs that are “of course unsafe” is absolute nonsense. If they want to hack, they will hack everyone and everywhere. It's just “opium for the people.” Enough with the empty talk, let users decide for themselves how to set up their own accounts!

[hyperstown]

I don't have physical security key, nor do I have fingerprint reader. Currently browser tells me to touch fingerprint which I don't have! I guess I'm not doing 2FA at all then! Thanks for making my account less secure!

[vanthome]

I simply don't want to and I think Auth apps are enough for the packages I publish, so what can I do?

[diegonc]

Nice, now I cannot upgrade my package. 😡

[josh-endries]

Wow what a horrible decision. You could at least warn people of this BEFORE they remove their 2FA app. I guess I'm done with NPM, or just not have 2FA, a much worse scenario. Nice one guys.

[Mte90]

So basically to upload a new package you need to buy a security usb device.

Ver yakward and impossible to do just for one service...

[diegonc]

I finally managed to upgrade my package by creating some PIN-💩. I don't even know how it worked, but it was somehow linked to the device OS (or browser, who knows).

I won't buy a security USB device just for this.