你可以在你的 npm 用户账户上启用双重身份验证 (2FA),以防止未经授权访问你的账户和包,方法是使用移动应用中的 security-key基于时间的一次性密码 (TOTP)

You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages, either by using a security-key or time-based one-time password (TOTP) from a mobile app.

先决条件

Prerequisites

在你的 npm 用户账户上启用 2FA 之前,你必须:

Before you enable 2FA on your npm user account, you must:

有关支持的 2FA 方法的更多信息,请参阅“关于双重身份验证”。

For more information on supported 2FA methods, see "About two-factor authentication".

注意:npm 不接受 SMS(文本到调用)作为 2FA 方法。

Note: npm does not accept SMS (text-to-phone) as a 2FA method.

从网站配置 2FA

Configuring 2FA from the website

启用 2FA

Enabling 2FA

  1. 在 npm“登录”页面上,输入您的帐户详细信息并单击登录 Screenshot of npm login dialog
  2. 在页面的右上角,点击您的个人资料照片,然后点击帐户 Screenshot of account settings selection in user menu
  3. 在账户设置页面的 "双重身份验证" 下,单击启用 2FA。

    On the account settings page, under "Two-Factor Authentication", click Enable 2FA.

    Screenshot showing Enable 2FA button
  4. 当出现提示时,请提供你当前的账户密码,然后单击确认密码继续。

    When prompted provide your current account password and then click Confirm password to continue.

  5. 在 2FA 方法页面上,选择你要启用的方法,然后单击继续。有关支持的 2FA 方法的更多信息,请参阅“关于双重身份验证”。

    On the 2FA method page, select the method you would like to enable and click Continue. For more information on supported 2FA methods, see "About two-factor authentication".

    Screenshot showing 2FA types
  6. 配置你选择的 2FA 方法:

    Configure the 2FA method of your choice:

    • 使用安全密钥时,为其提供名称并单击添加安全密钥。按照浏览器特定的步骤添加你的安全密钥。

      When using a security-key, provide a name for it and click Add security key. Follow the browser specific steps to add your security-key.

    Screenshot showing security key setup
    • 以下是在 MacOS 上运行的 Microsoft Edge 的配置示例

      Below is an example of configuration from Microsoft Edge running on a MacOS

    Screenshot showing 2FA device selection
    • 在手机上使用身份验证器应用时,打开该应用并扫描两步验证页面上的二维码。输入应用生成的代码,然后单击“验证”。

      When using an authenticator application on your phone, open it and scan the QR code on the two-step verification page. Enter the code generated by the app, then click Verify.

    Screenshot showing 2FA device selection
  7. 在恢复代码页上,将恢复代码复制到你的计算机或其他非第二重设备的安全位置。我们建议使用密码管理器。

    On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager.

    Screenshot showing the Recovery Code page

    如果你无法访问第二重设备,恢复代码是确保你可以恢复账户的唯一方法。每个代码只能使用一次。你可以从 2FA 设置页面 查看并重新生成你的恢复代码。有关辅助账户恢复选项,请参阅“配置账户恢复选项”。

    Recovery codes are the only way to ensure you can recover your account if you lose access to your second factor device. Each code can be used only once. You can view and regenerate your recovery code from your 2FA settings page. For secondary account recovery options, see "Configuring account recovery options."

  8. 确认你已保存代码后,单击返回设置。

    Click Go back to settings after confirming that you have saved your codes.

禁用 2FA 写入

Disabling 2FA for writes

查看 授权和写入 部分,了解有关启用此模式时需要 2FA 的不同操作的更多信息。

Check the Authorization and writes section for more information on different operations that requires 2FA when this mode is enabled.

注意:作为推荐设置,在设置 2FA 时会自动启用用于写入操作的 2FA。以下步骤说明了如何禁用它。

Note: As a recommended setting, 2FA for write operations are automatically enabled when setting up 2FA. The following steps explain how to disable it.

  1. 在 npm“登录”页面上,输入您的帐户详细信息并单击登录 Screenshot of npm login dialog
  2. 在页面的右上角,点击您的个人资料照片,然后点击帐户 Screenshot of account settings selection in user menu
  3. 在账户设置页面的 "双重身份验证" 下,单击修改 2FA。

    On the account settings page, under "Two-Factor Authentication", click Modify 2FA.

    Screenshot showing Modify 2FA button
  4. 从 "管理双重身份验证" 导航到 "其他选项" 部分

    From the "Manage Two-Factor Authentication" navigate to "Additional Options" section

  5. 清除 "写入操作需要双重身份验证" 的复选框并单击 "更新首选项"

    Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences"

    Screenshot showing a cleared check box to disable 2fa under Addition options

禁用 2FA

Disabling 2FA

如果你启用了 2FA,则可以将其从你的账户设置页面中删除。

If you have 2FA enabled, you can remove it from your account settings page.

注意:如果你是执行 2FA 的组织的成员,则不能删除 2FA。你可以从 "组织" 选项卡下的个人资料页面查看组织成员列表。

Note: You cannot remove 2FA if you are a member of an organization that enforces 2FA. You can view the list of organizations memberships from your profile page under the "Organizations" tab.

  1. 在 npm“登录”页面上,输入您的帐户详细信息并单击登录 Screenshot of npm login dialog
  2. 在页面的右上角,点击您的个人资料照片,然后点击帐户 Screenshot of account settings selection in user menu
  3. 在账户设置页面的 "双重身份验证" 下,单击修改 2FA。

    On the account settings page, under "Two-Factor Authentication", click Modify 2FA.

    Screenshot showing Modify 2FA button
  4. 滚动到 "管理双重身份验证" 页面的底部,然后单击禁用 2FA。

    Scroll to the bottom of the "Manage Two-Factor Authentication" page and click Disable 2FA.

    Screenshot showing Disable 2FA button
  5. 同意浏览器的提示。

    Agree to the prompt from the browser.

从命令行配置 2FA

Configuring 2FA from the command line

从命令行启用 2FA

Enabling 2FA from the command line

尽管带有 WebAuthn 的安全密钥可用于从 Web 和命令行进行身份验证,但它只能从 Web 配置。从命令行启用 2FA 时,目前唯一可用的选项是使用 TOTP 移动应用。

Although security-key with WebAuthn can be used for authentication from both the web and the command line, it can only be configured from the web. When enabling 2FA from the command line, currently the only available option is to use an TOTP mobile app.

注意:你在命令行上配置的设置也将应用于你在 npm 网站上的配置文件设置。

Note: Settings you configure on the command line will also apply to your profile settings on the npm website.

  1. 如果你在命令行上注销,请使用 npm login 命令登录。

    If you are logged out on the command line, log in using npm login command.

  2. 在命令行上,键入 npm profile 命令以及要启用的 2FA 模式的选项:

    On the command line, type the npm profile command along with the option for the 2FA mode you want to enable:

    • 要为授权和写入启用 2FA,请键入:

      To enable 2FA for authorization and writes, type:

      npm profile enable-2fa auth-and-writes
    • 要仅为授权启用 2FA,请键入:

      To enable 2FA for authorization only, type:

      npm profile enable-2fa auth-only
  3. 要将 npm 添加到你的身份验证器应用,使用带有应用的设备,你可以:

    To add npm to your authenticator application, using the device with the app, you can either:

    • 扫描命令行显示的二维码。

      Scan the QR code displayed on the command line.

    • 输入二维码下方显示的数字。

      Type the number displayed below the QR code.

  4. 当系统提示你从验证器添加 OTP 代码时,在命令行上输入验证器应用生成的一次性密码。

    When prompted to add an OTP code from your authenticator, on the command line, enter a one-time password generated by your authenticator app.

从命令行发送一次性密码

Sending a one-time password from the command line

如果你已启用 2FA auth-and-writes,则需要从命令行发送 TOTP 才能使某些命令正常工作。为此,请在命令末尾附加 --otp=123456(其中 123456 是你的身份验证器生成的代码)。这里有一些例子:

If you have enabled 2FA auth-and-writes, you will need to send the TOTP from the command line for certain commands to work. To do this, append --otp=123456 (where 123456 is the code generated by your authenticator) at the end of the command. Here are a few examples:

npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456
npm owner add <user > --otp=123456
npm owner rm <user> --otp=123456
npm dist-tags add <pkg>@<version> [<tag>] --otp=123456
npm access edit [<package>) --otp=123456
npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456

从命令行删除 2FA

Removing 2FA from the command line

  1. 如果你在命令行上注销,请使用 npm login 命令登录。

    If you are logged out on the command line, log in using npm login command.

  2. 在命令行上,键入以下命令:

    On the command line, type the following command:

    npm profile disable-2fa
  3. 出现提示时,输入你的 npm 密码:

    When prompted, enter your npm password:

    npm password:
  4. 当系统提示你输入一次性密码时,请从你的身份验证器应用中输入密码:

    When prompted for a one-time password, enter a password from your authenticator app:

    Enter one-time password from your authenticator: 123456

配置账户恢复选项

Configuring account recovery options

在你的 npm 用户账户上启用 2FA 时,我们强烈建议你将 GitHub 和/或 Twitter 账户链接到你的 npm 用户账户。如果你无法访问 2FA 设备和恢复代码,这些关联账户可用于验证你的身份并加快 npm 账户的恢复。

When you enable 2FA on your npm user account, we strongly recommend you link your GitHub and/or Twitter accounts to your npm user account. In the event you lose access to your 2FA device and recovery codes, these linked accounts can be used to verify your identity and expedite the recovery of your npm account.

  1. 在 npm“登录”页面上,输入您的帐户详细信息并单击登录 Screenshot of npm login dialog
  2. 在页面的右上角,点击您的个人资料照片,然后点击帐户 Screenshot of account settings selection in user menu
  3. 对于 链接你的 GitHub 账户,在账户设置页面的 "关联账户和恢复选项" 下,单击链接到 GitHub。

    To link your GitHub account, on the account settings page, under "Linked Accounts & Recovery Option", click Link with GitHub.

    Screenshot showing Link GitHub account button
  4. 在授权页面上,验证所有信息是否正确。然后单击授权 npm 账户链接。

    On the authorization page, verify all information looks correct. Then click Authorize npm account link.

  5. 对于 链接你的推特 账户,在账户设置页面的 "关联账户和恢复选项" 下,单击与 Twitter 链接。

    To link your Twitter account, on the account settings page, under "Linked Accounts & Recovery Option", click Link with Twitter.

    Screenshot showing Link Twitter account button
  6. 在授权页面上,验证所有信息是否正确。然后单击授权应用。

    On the authorization page, verify all information looks correct. Then click Authorize app.

Twitter 或 GitHub 账户现已链接到你的 npm 账户。要删除任一账户的链接,你可以单击要从 npm 账户中删除的账户旁边的“删除”按钮。

The Twitter or GitHub account is now linked to your npm account. To remove the link to either account, you can click the Remove button next to the account you want to remove from your npm account.

解决 TOTP 错误

Resolving TOTP errors

如果你输入的似乎是有效的 TOTP 但你看到错误,请确保你使用的是正确的身份验证器账户。如果你有多个身份验证器账户,则使用来自错误账户的 TOTP 会导致错误。

If you are entering what seems to be a valid TOTP but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an TOTP from the wrong account will cause an error.

此外,当你在禁用双重身份验证后重置它时,身份验证器可能会创建另一个具有相同名称的账户。请参阅身份验证器文档以删除旧账户。

Also, when you reset two-factor authentication after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.

npm 中文网 - 粤ICP备13048890号