Developers who use NPM, the popular JavaScript package manager, will now be able to connect their Twitter and GitHub accounts to the software as a recovery method.
The move was announced Tuesday along with a handful of other features meant to combine enhanced security with usability for the GitHub-owned package manager.
In a blog post, GitHub said that the changes would make it easier for users to secure their accounts, while also streamlining some security features that users had found burdensome.
“The JavaScript community downloads over 5 billion packages from npm a day, and we at GitHub recognize how important it is that developers can do so with confidence,” wrote GitHub product managers Myles Borins and Monish Mohan. “As stewards of the npm registry, it’s important that we continue to invest in improvements that increase developer trust and the overall security of the registry itself.”
Besides the ability to connect Twitter and GitHub accounts as an authentication method, GitHub also announced that the use of two-factor authentication (2FA) for login and package publishing on NPM would be made easier.
Per the blog post, NPM had previously trialed the use of enhanced 2FA logins in a public beta release, but after feedback from the community, decided that certain features should be tweaked in order to be more user-friendly. This included adding a “remember me for 5 minutes” option so that users who successfully authenticated could disable 2FA prompts for a short period of time.
“Account security is significantly improved by adopting 2FA, but if the experience adds too much friction, we can’t expect customers to adopt it,” Borins and Mohan wrote. “Early adopters of our new 2FA experience shared feedback around the process of logging in and publishing with the npm CLI, and we recognized there was room for improvement.”
The improved security features are being made available in NPM 8.15.0, released July 26th, the post said.
As a core part of the open-source software ecosystem for the JavaScript programming language, NPM has been targeted by a number of malicious actors over the years. One of the main strategies has been for attackers to take control of packages by purchasing expired domains registered to package publishers and using these to set up email accounts that can be used to receive password reset emails for the package. In light of this, increasing the use of 2FA when logging into NPM accounts stands to create big security improvements.
NPM’s parent company, GitHub, is also working to improve security on the larger code-hosting platform: earlier this year, the company announced that all users who contribute code would need to have some form of 2FA enabled by the end of 2023.
/cdn.vox-cdn.com/uploads/chorus_asset/file/11742007/acastro_1800724_1777_EU_0001.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24401977/STK071_ACastro_apple_0001.jpg)
