npm · saquibkhan · Oct 8, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025
@@ -10,10 +10,9 @@ redirect_from:
 - Something you have (e.g., an ID badge or a cryptographic key).
 - Something you are (e.g., a fingerprint or other biometric data).
 
-When you enable 2FA, you will be prompted for a second form of authentication before performing certain actions on your account or packages to which you have write access. Depending on your 2FA configuration you will be either prompted to authenticate with a [security-key][webauthn] or a [time-based one-time password (TOTP)][totp].
+When you enable 2FA, you will be prompted for a second form of authentication before performing certain actions on your account or packages to which you have write access. You will be prompted to authenticate with a [security-key][webauthn].
 
 - The security-key flow allows you to use biometric devices such as Apple [Touch ID][touch-id], [Face ID][face-id] or [Windows Hello][windows-hello] as well as physical keys such as [Yubikey][yubikey], [Thetis][thetis] or [Feitian][feitian] as your 2FA.
-- To configure TOTP you will need to install an authenticator application that can generate OTPs such as [Authy][authy], [Google Authenticator][google-authenticator], or [Microsoft Authenticator][microsoft-authenticator] on your mobile device.
 
 <Note>
 
@@ -68,9 +67,6 @@ If you enable 2FA for authorization only. We will request a second form of authe
 [deprecate]: https://docs.npmjs.com/cli/deprecate
 [access]: https://docs.npmjs.com/cli/access
 [pkg-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification
-[authy]: https://authy.com/download/
-[google-authenticator]: https://support.google.com/accounts/answer/1066447
-[microsoft-authenticator]: https://www.microsoft.com/security/mobile-authenticator-app
 [webauthn]: https://webauthn.guide/
 [can-i-use]: https://caniuse.com/#search=webauthn
 [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor

@@ -4,24 +4,17 @@ title: Configuring two-factor authentication
 
 import shared from '~/shared.js'
 
-You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages, either by using a [security-key][webauthn] or [time-based one-time password (TOTP)][totp] from a mobile app.
+You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn].
 
 ## Prerequisites
 
 Before you enable 2FA on your npm user account, you must:
 
 - Update your npm client to version 5.5.1 or higher.
 - To configure a security-key requires a modern browser that support [WebAuthn][can-i-use]. This will allow you to configure a biometric devices featuring Apple [Touch ID][touch-id], [Face ID][face-id], or [Windows Hello][windows-hello] as well as physical keys such as [Yubikey][yubikey], [Thetis][thetis], or [Feitian][feitian].
-- To configure TOTP you will need to install an authenticator application that can generate OTPs such as [Authy][authy], [Google Authenticator][google-authenticator], or [Microsoft Authenticator][microsoft-authenticator] on your mobile device.
 
 For more information on supported 2FA methods, see "[About two-factor authentication][about-two-factor-authentication]".
 
-<Note>
-
-**Note:** npm does not accept SMS (text-to-phone) as a 2FA method.
-
-</Note>
-
 ## Configuring 2FA from the website
 
 ### Enabling 2FA
@@ -44,19 +37,15 @@ For more information on supported 2FA methods, see "[About two-factor authentica
 
    <Screenshot src="/getting-started/setting-up-your-npm-user-account/device-selection.png" alt="Screenshot showing 2FA types" />
 
-6. Configure the 2FA method of your choice:
-   - When using a **security-key**, provide a name for it and click **Add security key**. Follow the browser specific steps to add your security-key.
+6. Configure your 2FA security-key:
+   - Provide a name for your security-key and click **Add security key**. Follow the browser specific steps to add your security-key.
 
    <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-add-security-key.png" alt="Screenshot showing security key setup" />
 
 - Below is an example of configuration from Microsoft Edge running on a MacOS
 
    <Screenshot src="/getting-started/setting-up-your-npm-user-account/touch-id-mac-edge.png" alt="Screenshot showing 2FA device selection" />
 
-- When using an **authenticator application** on your phone, open it and scan the QR code on the two-step verification page. Enter the code generated by the app, then click **Verify**.
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-verify.png" alt="Screenshot showing 2FA device selection" />
-
 7. On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager.
 
    <Screenshot src="/getting-started/setting-up-your-npm-user-account/recovery-code.png" alt="Screenshot showing the Recovery Code page" />
@@ -125,7 +114,7 @@ If you have 2FA enabled, you can remove it from your account settings page.
 
 ### Enabling 2FA from the command line
 
-Although security-key with WebAuthn can be used for authentication from both the web and the command line, it can only be configured from the web. When enabling 2FA from the command line, currently the only available option is to use an TOTP mobile app.
+Security-key with WebAuthn can be used for authentication from both the web and the command line, but it can only be configured from the web.
 
 <Note>
 
@@ -148,24 +137,9 @@ Although security-key with WebAuthn can be used for authentication from both the
      npm profile enable-2fa auth-only
      ```
 
-3. To add npm to your authenticator application, using the device with the app, you can either:
-   - Scan the QR code displayed on the command line.
-   - Type the number displayed below the QR code.
+### Using 2FA with commands
 
-4. When prompted to add an OTP code from your authenticator, on the command line, enter a one-time password generated by your authenticator app.
-
-### Sending a one-time password from the command line
-
-If you have enabled 2FA auth-and-writes, you will need to send the TOTP from the command line for certain commands to work. To do this, append `--otp=123456` (where _123456_ is the code generated by your authenticator) at the end of the command. Here are a few examples:
-
-```
-npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456
-npm owner add <user > --otp=123456
-npm owner rm <user> --otp=123456
-npm dist-tags add <pkg>@<version> [<tag>] --otp=123456
-npm access edit [<package>) --otp=123456
-npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
-```
+If you have enabled 2FA auth-and-writes, authentication will be handled automatically when using security-keys. For commands that require 2FA, you will be prompted to authenticate with your configured 2FA method.
 
 ### Removing 2FA from the command line
 
@@ -181,9 +155,7 @@ npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
 
    <Prompt>npm password:</Prompt>
 
-4. When prompted for a one-time password, enter a password from your authenticator app:
-
-   <Prompt>Enter one-time password from your authenticator: <strong>123456</strong></Prompt>
+4. You will be prompted to authenticate with your configured 2FA method to complete the removal.
 
 ## Configuring account recovery options
 
@@ -210,22 +182,12 @@ When you enable 2FA on your npm user account, we strongly recommend you link you
 
 The Twitter or GitHub account is now linked to your npm account. To remove the link to either account, you can click the **Remove** button next to the account you want to remove from your npm account.
 
-## Resolving TOTP errors
-
-If you are entering what seems to be a valid [TOTP][totp] but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an TOTP from the wrong account will cause an error.
-
-Also, when you reset two-factor authentication after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.
-
 [about-two-factor-authentication]: /about-two-factor-authentication
 [authorization-and-writes]: /about-two-factor-authentication#authorization-and-writes
 [login]: /cli/adduser
 [recovering-your-2fa-enabled-account]: /recovering-your-2fa-enabled-account
 [can-i-use]: https://caniuse.com/#search=webauthn
 [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code
-[totp]: https://en.wikipedia.org/wiki/Time-based_one-time_password
-[authy]: https://authy.com/download/
-[google-authenticator]: https://support.google.com/accounts/answer/1066447
-[microsoft-authenticator]: https://www.microsoft.com/security/mobile-authenticator-app
 [webauthn]: https://webauthn.guide/
 [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
 [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0

@@ -22,8 +22,6 @@ If you have misplaced the device that provided second-factor authentication, you
 
    <>{shared['use-recovery-code'].image}</>
 
-   _Note: If you have configured to use TOTP, you will see an TOTP prompt instead_
-
 4. Enter an unused recovery code in the "Use a Recovery Code" prompt.
 
    <Screenshot src="/getting-started/setting-up-your-npm-user-account/user-a-recovery-code.png" alt="Screenshot showing use a recovery code prompt with an input box to enter the recovery code" />
@@ -32,38 +30,6 @@ If you have misplaced the device that provided second-factor authentication, you
 
 6. (Optional) To disable 2FA, see "[Disabling 2FA][removing-2fa-on-the-web]".
 
-### Using recovery code from the command line
-
-1. Locate the recovery codes generated when you enabled 2FA on your account.
-
-2. If you are logged out on the command line, log in using `npm login` command with your username and npm password.
-
-3. Enter an unused recovery code when you see this prompt:
-
-   <Prompt>Enter one-time password:</Prompt>
-
-4. Once you are logged in, use the below and enter your npm password if prompted.
-
-   ```
-   npm profile disable-2fa
-   ```
-
-5. Enter another unused recovery code when you see this prompt:
-
-   <Prompt>Enter one-time password:</Prompt>
-
-6. npm will confirm that two-factor authentication has been disabled.
-
-7. Follow the steps outlined in "[Configuring two-factor authentication][configuring-two-factor-authentication]" to re-enable 2FA and generate new recovery codes.
-
-<Note>
-
-**Note:** Using the recovery codes to re-enable 2FA may create a new authenticator account with the same npm account name.
-
-If you are using a [time-based one-time password (TOTP)][totp] mobile app and want to delete the old authenticator account, follow the steps for the authenticator.
-
-</Note>
-
 ## Viewing and regenerating recovery code
 
 <Note>
@@ -126,4 +92,3 @@ If you have misplaced both your 2FA device and your recovery codes, you can cont
 [removing-2fa-on-the-web]: /configuring-two-factor-authentication#disabling-2fa
 [using-recovery-code-on-the-web]: /recovering-your-2fa-enabled-account#using-recovery-code-on-the-web
 [viewing-and-regenerating-recovery-code]: #viewing-and-regenerating-recovery-code
-[totp]: https://en.wikipedia.org/wiki/Time-based_one-time_password