Enrolling all npm publishers in enhanced login verification and next steps for two-factor authentication enforcement

The article outlines npm's phased plan to enhance the security of its registry by introducing and enforcing two-factor authentication (2FA) for maintainers. Starting with enhanced login verification, maintainers who do not have 2FA will receive a one-time password via email, which must be used alongside their password to log in. This step aims to prevent account takeover attacks, though opting into 2FA, such as time-based one-time passwords (TOTP) or WebAuthn, is encouraged for stronger security. The rollout of enhanced login verification began on December 7 and will conclude on January 4, followed by the enforcement of 2FA for high-impact package publishers, beginning with the top-100 packages by dependents on February 1, 2022. Plans to support multiple authentication factors and improve account recovery are underway, with WebAuthn expected to be available by April 2022, ensuring a seamless integration of these security measures without disrupting current workflows.