27 C
New York
Friday, August 12, 2022

NPM users can now connect a Twitter account as a recovery method

Developers using NPM, the popular JavaScript package manager, will now be able to connect their Twitter and GitHub accounts to the software as a recovery method.

The move was announced on Tuesday along with a handful of other features meant to combine tighter security with usability for the GitHub-owned package manager.

In a blog post, GitHub said the changes would make it easier for users to secure their accounts, while streamlining some security features that users had found cumbersome.

“The JavaScript community downloads over 5 billion packages from npm per day, and at GitHub we recognize how important it is for developers to be able to do so with confidence,” wrote GitHub Product Manager Myles Borins. and Monish Mohan. “As guardians of the npm registry, it’s important that we continue to invest in improvements that build developer confidence and the overall security of the registry itself.”

GitHub and Twitter accounts can now be used as recovery options for NPM.
Image: GitHub/NPM

Along with the ability to connect Twitter and GitHub accounts as an authentication method, GitHub also announced that it will make it easier to use two-factor authentication (2FA) for logging in and publishing packages to NPM.

According to the blog post, NPM had previously tested using improved 2FA logins in a public beta, but after community feedback decided that some features needed to be tweaked in order to be more user-friendly. This included adding a “remember me for 5 minutes” option so that users who had successfully authenticated could disable 2FA prompts for a short time.

“Account security is dramatically improved by adopting 2FA, but if the experience adds too much friction, we can’t expect customers to adopt it,” Borins and Mohan wrote. “Early adopters of our new 2FA experience shared their feedback on the login and publish process with the npm CLI, and we recognized there was room for improvement.”

The enhanced security features are made available in NPM 8.15.0, released July 26, according to the post.

As a central part of the open source software ecosystem for the JavaScript programming language, NPM has been targeted by a number of malicious actors over the years. One of the main strategies is for attackers to take control of packages by purchasing expired domains registered with package publishers and using them to set up email accounts that can be used to receive password reset emails. password for the package. In light of this, increasing the use of 2FA when logging into NPM accounts should create significant security improvements.

NPM’s parent company, GitHub, is also working to improve security on the largest code-hosting platform: earlier this year, the company announced that all users who contribute code should have some form of 2FA. activated by the end of 2023.

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected


Latest Articles