By name: npm-set-2fa description: Change the npm account 2FA level between disabled, auth-only, and auth-and-writes. Use when /npm-doctor reports account 2FA is blocking automation tokens.
npm-set-2fa
Flip the npm account's 2FA level. Requires a security-key tap OR a recovery code.
Usage
/npm-set-2fa auth-only # recommended for automation — tokens publish without OTP
/npm-set-2fa auth-and-writes # most secure, but classic automation tokens hit EOTP
/npm-set-2fa disabled # no 2FA at all — not recommended unless publishing requires it
Flow
- CLI path first.
npm profile enable-2fa <level>(ordisable-2fa).- Prompts for password → pull from 1P.
- Prompts for OTP → if the account uses WebAuthn only, there's no TOTP. Fall back to a recovery code from
op item get <id> --fields recovery_codes --reveal. - If neither works → UI path.
- UI path. Open
https://www.npmjs.com/settings/<user>/profileand tell the user exactly which option to click. Wait for confirmation. - Verify.
npm profile get | grep two-factor— confirm the new level took effect. - Persist. Update state with
two_factor_levelfield. If recovery codes were used, prompt the user to regenerate + save fresh ones to 1P (codes are single-use).
Rules
- Never print password or recovery codes to stdout. Feed them directly to
npmvia stdin/flags. - Recovery codes are one-shot. After using one, drop it from 1P immediately.
- If the user is flipping to
disabled, double-confirm — this materially weakens account security.