Security News > 2022 > May > GitHub announces enhanced 2FA experience for npm accounts
Today, GitHub has launched a new public beta to notably improve the two-factor authentication experience for all npm user accounts.
Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register "Multiple second factors, such as security keys, biometric devices, and authentication applications."
These changes come after a December rollout of enhanced login verification to all npm publishers in response to a massive series of account takeovers.
Two months later, GitHub enforced 2FA for all publishers of the top-100 packages by dependent, with all publishers of top-500 and high-impact packages enrolled in early 2022.
Developers can use multiple 2FA options to secure their accounts, including physical security keys, virtual security keys built into devices like phones or laptops, and Time-based One-Time Password authenticator apps.
Although SMS-based 2FA is also an option, GitHub urged users to switch to security keys or TOTPs, given that threat actors can bypass SMS 2FA or steal auth tokens sent over SMS. GitHub also improved account security over the years by adding sign-in alerts, two-factor authentication, and WebAuthn support.