.png)
3 hours ago
1
{{actor}} deleted this content
.
Hi @prahladyeri ,
The main reason npm is phasing out TOTP is security.
TOTP codes can still be phished or relayed in real time, and the shared secret can be stolen if your device is compromised. Recent supply-chain attacks on npm maintainers showed that even users with TOTP 2FA could be tricked into giving up their codes.
FIDO/WebAuthn (like hardware keys or passkeys) are phishing-resistant the private key never leaves your device and authentication is bound to the site’s domain, so it can’t be reused elsewhere.
That said, many developers share your concern about accessibility especially those on Linux or open-source browsers.
GitHub has said they’re working to improve cross-platform support, but for now FIDO/WebAuthn is considered the most secure option available.
1 reply
Thanks for the response.
TOTP codes can still be phished or relayed in real time
While this is true, it can be said about any kind of credential including emails and passwords, security codes, API tokens, OTPs, etc. Shouldn't it be the responsibility of a package maintainer or developer to ensure their own device security and not fall for phishing scams?
At most, NPM could suggest or recommend FIDO/WebAuthn while setting up the 2FA methods but having an all or none approach and removing TOTP option entirely seems going too far.
