Top-100 npm package maintainers now require 2FA, and additional security-focused improvements to npm

In a move to enhance security within the npm registry, a phased approach to enforcing two-factor authentication (2FA) for npm publishers is underway, starting with maintainers of the top-100 npm packages by dependents. Those without 2FA will need to enable it to perform specific account actions. Initial enhancements began in December 2021, with full enrollment planned for March 2022, and interim brown-out days in February to prepare users. The initiative includes improved token management for CI/CD automation, organizational enforcement capabilities, and auditing tools for 2FA adoption. Future plans involve integrating WebAuthn for stronger authentication using hardware keys and biometric devices, alongside current OTP methods. The npm team is committed to ongoing security improvements and encourages community feedback for further enhancements.