npm · nishantms · Dec 10, 2025 · Nov 14, 2025 · Nov 24, 2025 · Nov 24, 2025
@@ -42,7 +42,7 @@ npm access list packages [<user>|<scope>|<scope:team>] [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```

@@ -49,6 +49,17 @@ Publishes a package to the registry so that it can be installed by name.
 
 Publish the package in the current directory:
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 ```bash
 npm publish
 ```

@@ -20,6 +20,17 @@ When you enable 2FA, you will be prompted for a second form of authentication be
 
 </Note>
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 ## Two-factor authentication on npm
 
 Two-factor authentication on npm can be enabled for authorization and writes, or authorization only.

@@ -6,6 +6,17 @@ import shared from '~/shared.js'
 
 You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn].
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 ## Prerequisites
 
 Before you enable 2FA on your npm user account, you must:
@@ -54,34 +65,6 @@ For more information on supported 2FA methods, see "[About two-factor authentica
 
 8. Click **Go back to settings** after confirming that you have saved your codes.
 
-### Disabling 2FA for writes
-
-Check the [Authorization and writes][authorization-and-writes] section for more information on different operations that requires 2FA when this mode is enabled.
-
-<Note>
-
-**Note**: As a recommended setting, 2FA for write operations are _automatically enabled_ when setting up 2FA. The following steps explain how to disable it.
-
-</Note>
-
-1. <>{shared['user-login'].text}</>
-
-   <>{shared['user-login'].image}</>
-
-2. <>{shared['account-settings'].text}</>
-
-   <>{shared['account-settings'].image}</>
-
-3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**.
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-modify.png" alt="Screenshot showing Modify 2FA button" />
-
-4. From the "Manage Two-Factor Authentication" navigate to "Additional Options" section
-
-5. Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences"
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/disable-2fa-button.png" alt="Screenshot showing a cleared check box to disable 2fa under Addition options" />
-
 ### Disabling 2FA
 
 If you have 2FA enabled, you can remove it from your account settings page.
@@ -193,6 +176,7 @@ The Twitter or GitHub account is now linked to your npm account. To remove the l
 [can-i-use]: https://caniuse.com/#search=webauthn
 [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code
 [webauthn]: https://webauthn.guide/
+[creating-token]: /creating-and-viewing-access-tokens
 [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
 [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0
 [touch-id]: https://support.apple.com/en-gb/HT204587

@@ -22,30 +22,11 @@ You can work with tokens from the web or the CLI, whichever is easiest. What you
 npm token commands let you:
 
 - View tokens for easier tracking and management
-- Create new legacy tokens (deprecated)
 - Limit access according to IP address ranges (CIDR)
 - Delete/revoke tokens
 
 For more information on creating and viewing access tokens on the web and CLI, see "[Creating and viewing access tokens][create-token]".
 
-## About legacy tokens (Deprecated)
-
-<Note variant="danger">
-
-**Warning:** Legacy access tokens were removed on November 5, 2025.
-
-</Note>
-
-Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run `npm login`.
-
-There are three different types of legacy tokens:
-
-- **Read-only**: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead.
-- **Automation**: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not require 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead.
-- **Publish**: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm.
-
-Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "[Securing your token][secure-token]."
-
 ## About granular access tokens
 
 Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can:

@@ -45,7 +45,7 @@ For more information on creating granular access tokens, including CIDR-whitelis
 
 For publishing packages in continuous deployment environments, we strongly recommend using [trusted publishing](/trusted-publishers) when available, as it provides enhanced security without requiring token management.
 
-If trusted publishing is not available for your CI/CD provider, you can create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish even if you have two-factor authentication enabled on your account.
+If trusted publishing is not available for your CI/CD provider, you must create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish in your CI/CD workflows even if you have two-factor authentication enabled on your account.
 
 <Note>
 

@@ -6,6 +6,17 @@ import shared from '~/shared.js'
 
 Organization owners can require organization members to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organization's packages and settings.
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 ## About two-factor authentication for organizations
 
 Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. You can require all members in your organization to enable two-factor authentication on npm. For more information about two-factor authentication, see ["Configuring two-factor authentication"][configure-2fa].

@@ -81,6 +81,17 @@ npm install my-package
 
 By default, scoped packages are published with private visibility.
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 1. On the command line, navigate to the root directory of your package.
 
    ```
@@ -109,3 +120,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p
 [cli-publish]: /cli/publish
 [reg-config]: configuring-your-registry-settings-as-an-npm-enterprise-user#using-npmrc-to-manage-multiple-profiles-for-different-registries
 [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information
+[config-2fa]: /configuring-two-factor-authentication
+[creating-token]: /creating-and-viewing-access-tokens
+[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification
@@ -77,6 +77,17 @@ npm install /path/to/my-test-package
 
 By default, scoped packages are published with private visibility. To publish a scoped package with public visibility, use `npm publish --access public`.
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 1. On the command line, navigate to the root directory of your package.
 
    ```
@@ -111,3 +122,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p
 [cli-publish]: /cli/publish
 [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information
 [provenance-how-to]: /generating-provenance-statements
+[config-2fa]: /configuring-two-factor-authentication
+[creating-token]: /creating-and-viewing-access-tokens
+[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification
@@ -58,6 +58,17 @@ npm install path/to/my-package
 
 ## Publishing unscoped public packages
 
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 1. On the command line, navigate to the root directory of your package.
 
    ```
@@ -89,3 +100,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p
 [cli-publish]: /cli/publish
 [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information
 [provenance-how-to]: /generating-provenance-statements
+[config-2fa]: /configuring-two-factor-authentication
+[creating-token]: /creating-and-viewing-access-tokens
+[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification
@@ -36,8 +36,20 @@ exports.printMsg = function() {
 ## Test your module
 
 1. Publish your package to npm:
-   - For [private packages][priv-pkg-pub] and [unscoped packages][unscoped-pkg-pub], use `npm publish`.
-   - For [scoped public packages][scoped-pkg-pub], use `npm publish --access public`
+
+<Note variant="warning">
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
+- For [private packages][priv-pkg-pub] and [unscoped packages][unscoped-pkg-pub], use `npm publish`.
+- For [scoped public packages][scoped-pkg-pub], use `npm publish --access public`
 
 2. On the command line, create a new test directory outside of your project directory.
 
@@ -73,3 +85,5 @@ exports.printMsg = function() {
 [priv-pkg-pub]: creating-and-publishing-private-packages#publishing-private-packages
 [unscoped-pkg-pub]: creating-and-publishing-unscoped-public-packages#publishing-unscoped-public-packages
 [scoped-pkg-pub]: creating-and-publishing-scoped-public-packages#publishing-scoped-public-packages
+[config-2fa]: /configuring-two-factor-authentication
+[creating-token]: /creating-and-viewing-access-tokens
@@ -4,9 +4,9 @@ title: Requiring 2FA for package publishing and settings modification
 
 import shared from '~/shared.js'
 
-To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package. For more information, see "[Configuring two-factor authentication][config-2fa]".
+All packages now require two-factor authentication (2FA) or a [granular access tokens with bypass 2FA enabled][creating-granular-access-token] for creating and publishing packages.
 
-You may also choose to allow publishing with either two-factor authentication _or_ with [granular access tokens with bypass 2FA enabled][creating-granular-access-token]. This lets you configure tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes.
+Modifying a package's settings also requires two-factor authentication (2FA).
 
 For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), which provides secure, token-free publishing that automatically enforces strong authentication without requiring manual token management.
 
@@ -21,7 +21,7 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w
 
 </Note>
 
-## Configuring two-factor authentication
+## Configuring two-factor authentication on package settings
 
 1. <>{shared['user-login'].text}</>
 
@@ -34,18 +34,13 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w
    <Screenshot src="/packages-and-modules/securing-your-code/2fa-package-admin.png" alt="Screenshot showing the admin tab on a package page" />
 
 4. Under "Publishing access", select the requirements to publish a package.
-   1. **Dont require two-factor authentication**  
-      With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting.
-
-   2. **Require two-factor authentication or granular access tokens**  
-      With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the `npm publish` command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create a [granular access token with bypass 2FA enabled][creating-granular-access-token] and use that to publish. A second factor is _not_ required when using these specific token types, making them useful for continuous integration and continuous deployment workflows.
-
-   3. **Require two-factor authentication and disallow tokens**  
-      With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting.
+   1. **Require two-factor authentication or a granular access token with bypass 2fa enabled** (Default)  
+      This is the default option for all new packages. With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the `npm publish` command, they will be required to respond to a 2FA prompt when they perform the publish. However, maintainers may also create a [granular access token with bypass 2FA enabled][creating-granular-access-token] and use that for a non-interactive publish.
+   2. **Require two-factor authentication and disallow tokens** (Recommended) With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to respond to a 2FA prompt when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting.
 
    <Screenshot src="/packages-and-modules/securing-your-code/2fa-package-setting.png" alt="Screenshot showing the require two-factor option for a package" />
 
-5. Click **Update Package Settings**.
+5 . Click **Update Package Settings**.
 
 [config-2fa]: configuring-two-factor-authentication
 [creating-granular-access-token]: creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website
-Original file line number
+Diff line change
@@ Expand Up @@
     For publishing packages in continuous deployment environments, we strongly recommend using [trusted publishing](/trusted-publishers) when available, as it provides enhanced security without requiring token management.
-    If trusted publishing is not available for your CI/CD provider, you can create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish even if you have two-factor authentication enabled on your account.
+    If trusted publishing is not available for your CI/CD provider, you must create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish in your CI/CD workflows even if you have two-factor authentication enabled on your account.
     <Note>
@@ Expand Down @@