Why is npm getting rid of TOTP as 2FA authentication method?

[prahladyeri]

Select Topic Area

Question

Body

I've been aghast to know that npm is now phasing out TOTP as a legitimate 2FA method of authentication and replacing it with more intrusive and authoritarian methods like FIDO and Webauthn.

It's a bit perplexing that an organization that apparently stands up for Open Source as a way of life would introduce such a closed and walled garden approach of authentication which may not be accessible to everyone. Those on Linux Desktops such as Mint or Fedora, or those using an open source browser like Firefox, may not have access to these chosen new 2FA methods.

I'd also like to know what exactly is the issue with TOTP as an authentication system, what do the proponents of this new system think is wrong with it?

[gunavardhangolagani]

Hi @prahladyeri ,

The main reason npm is phasing out TOTP is security.
TOTP codes can still be phished or relayed in real time, and the shared secret can be stolen if your device is compromised. Recent supply-chain attacks on npm maintainers showed that even users with TOTP 2FA could be tricked into giving up their codes.

FIDO/WebAuthn (like hardware keys or passkeys) are phishing-resistant the private key never leaves your device and authentication is bound to the site’s domain, so it can’t be reused elsewhere.

That said, many developers share your concern about accessibility especially those on Linux or open-source browsers.
GitHub has said they’re working to improve cross-platform support, but for now FIDO/WebAuthn is considered the most secure option available.

[prahladyeri]

Thanks for the response.

TOTP codes can still be phished or relayed in real time

While this is true, it can be said about any kind of credential including emails and passwords, security codes, API tokens, OTPs, etc. Shouldn't it be the responsibility of a package maintainer or developer to ensure their own device security and not fall for phishing scams?

At most, NPM could suggest or recommend FIDO/WebAuthn while setting up the 2FA methods but having an all or none approach and removing TOTP option entirely seems going too far.

[vindicatorr]

Recent supply-chain attacks on npm maintainers showed that even users with TOTP 2FA could be tricked into giving up their codes.

Looks like they could then be tricked into giving up their passkey private key as well. POC with keepass allowing me to export the passkey, and I see the data in JSON with "privateKey".

private key never leaves your device and authentication is bound to the site’s domain, so it can’t be reused elsewhere.

Is the TOTP code not bound to the domain? They are the ones that issued it, no?

[3nprob]

FYI:

There is a community thread for this topic here: https://github.com/orgs/community/discussions/174505 (consider upvoting)

GitHub recently posted an update on their plans here: https://github.com/orgs/community/discussions/178140