Npm Enrolls Top 100 Package Maintainers Into Mandatory 2FA (therecord.media) 42
The administrators of the Node Package Manager (npm), the largest package repository of the JavaScript ecosystem, said they enrolled the maintainers of the top 100 most popular libraries (based on the number of dependencies) into their mandatory two-factor authentication (2FA) procedure. From a report: npm, which is owned by GitHub, enforced this new security requirement starting yesterday, February 1, 2022. "Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects," the GitHub security team said in a blog post. The move represents the second phase of a major push from the npm team to secure developer accounts, which have been getting hijacked in recent years and used to push malware inside legitimate JavaScript libraries. In many cases, the accounts are hacked because project maintainers use simple-to-guess passwords or reused passwords that were previously leaked via breaches at other companies. The first phase of this process took place between December 7, 2021, and January 4, 2022, when the npm team rolled out a new feature called "enhanced login verification" for all npm package maintainers.
Sucks to be them (Score:2)
Re: (Score:1)
Re:Sucks to be them (Score:4, Informative)
Yes, if I was a top contributor I would likely log in once and set a message "This project is no longer maintained as NPM is making it too annoying to maintain"
Re: (Score:2)
Better yet: left-pad
Re: (Score:2)
Or you could use a strong password, without the additional pain.
Re: (Score:2)
oathtool -b --totp 'secret'
a giant pain in the backside?
Re: (Score:2)
Re: (Score:2)
Yes 2FA works and is a lot more secure. Its also a giant pain in the backside.
Really? That's where we're at, as a society, now? Tapping the authentication app on my smartphone and keying in 6 digits is a giant pain in the backside?
"Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects,"
Specific actions... Not just doing normal crap.. You have to go 2FA before you change your email address or add a hacker to the project.
If that's too much for someone to do, fuck them. They're lazy to the point of being dangerous.
Re: (Score:2)
Re: (Score:2)
Many of us have broken the chains of slavery to our phones. So 2fa via a device you don't want to be shackled to a pita.
Fine.
https://www.makeuseof.com/how-generate-2fa-codes-windows-10-google-authenticator/
Just admit you're lazy to the point of being useless.
Re: (Score:3)
So, I'm guessing you don't actually use any of this because you seem ignorant of emergency backup codes and alternative 2FA in those cases.
Re: (Score:1)
How many people save those codes?
Re: (Score:2)
There's someone out there that doesn't? Don't you think that's a little irresponsible?
Re: (Score:2)
Me! In a fireproof safe. Won't catch every possibility, but it does not take much work to maintain.
Re: (Score:2)
If someone is so incompetent (or lazy) that they cannot handle backup codes, they are way too incompetent (or lazy) to support software I care about.
Re: (Score:3)
Re: (Score:2)
They aren't master codes, they're a series of one-time-use codes. They aren't time limited, but are there in case of emergency.
Re: (Score:2)
Re: (Score:3)
If you use one of the most common ones, Google Authenticator, then your cell phone service being up or down matters exactly nothing.
It can miss about 4 years of time syncs before it starts to go very slightly out of sync.
I think you don't know how most 2FA authentication works. The ones most used for actual business are just small fobs with no connectivity to anything whatsoever.
And if you don't have internet at all, it's not going to even matter if your 2FA needs internet access or not.
Re: (Score:2)
You mean a fob which can be lost? Or, better yet, stolen and now someone has acces to your account if even for a short time which is long enough for them to reroute 2FA authentication.
Re: (Score:2)
The ones most used for actual business are just small fobs with no connectivity to anything whatsoever.
You mean a fob which can be lost? Or, better yet, stolen and now someone has acces to your account if even for a short time which is long enough for them to reroute 2FA authentication.
Err... they would still need the target's username and password--and if they know that and are specifically targeting that person to compromise their account to the point they're managed to steal a keyfob, they're going to succeed no matter what countermeasures you put in their path. Do you have some alternative scenario in mind here?
Re: (Score:2)
You mean a fob which can be lost? Or, better yet, stolen and now someone has acces to your account if even for a short time which is long enough for them to reroute 2FA authentication.
Dude, just fucking admit you don't know what you're talking about. This is getting pathetic.
If I lose my fob, how the FUCK is the person who finds it gonna figure out my username / password? Are you operating under the impression that the fob, itself, gives total access?
Stolen.. Okay. yeah. That's a risk.. But it's not a big enough of a problem to rule out 2FA altogether.
Jesus H. Christ.... We don't NOT use safes because safe-crackers exist. The fact that a safe is there drastically reduces the numb
Re: (Score:2)
Re: (Score:2)
You can screenshot the original picture you get to set up the authenticator, print that, and put that into your safe. Then you can just rescan it with any device that can run the Google Authenticator. I'm not aware of smaller form factors (I actually use an old phone as backup for it).
Re: (Score:2)
Google also claimed to enroll everyone in 2FA. What Google really means is a verified phone number, with the phone (and internet) taking the place of a fob (what you have). Plus, of course, the phone is always signed in (and tracking you), so in some ways, less security. Plug-in security keys are the best option but a lot of computing devices don't have drivers for that.
Once Google has you permanently signed in, then one can switch to Google Authenticator and sign-out.
Re: (Score:2)
I have no idea what you're talking about. Since I have a Google Authenticator running perfectly fine on devices that do not have a phone number, or a SIM card, or a Google account.
Re: (Score:3)
Makes it harder to take down some accounts with leaked passwords but now introduces an infrastructure dependency on your 2FA provider.
Depends on what kind of 2FA you introduce. If you're sensible you go for something like TOTP aka RFC 6238 [ietf.org], which is based on a shared key. There is no additional infrastructure to go down but if you lose your phone or whatever you put the key into then you do need to make sure you have some backup passwords stashed in the safe.
As for whether it should be mandatory it really does depend on how much risk you are at. For the top 100 NPM packages, being targeted for supply chain attacks by major players is a re
Re: (Score:3)
It still should not be forced, simply state on the npm package that is 2 factor authenticated, users should be able to choose if they use the package or not.
Re: (Score:2)
The whole point is to assure npm users that their favorite repositories are protected from an attack.
Of course, this only covers the most popular, and does nothing in the face of a random maintainer from either deliberately screwing their own project, breaking backwards compatibility because they don't care, or just screwing up.
So it's an assurance that unauthorized hijacking of a standing project is less likely, which users care about, but doesn't do much for indicating the reliability and trustworthiness
Re: (Score:2)
That's a little extreme, don't you think? Why would even care?
Re: (Score:2)
That's what we need: giving non-computer people MORE popups to accept (or not, but they will always accept) before they can do what they need to do online. You are why we can't have nice things.
Re: (Score:2)
It still should not be forced, simply state on the npm package that is 2 factor authenticated, users should be able to choose if they use the package or not.
When you provide proof that you were against mandatory "passwords" being forced on everyone, from the start, then you can complain.
Else, you're just a lazy cunt who can't be bothered to expend a single calorie for increased security.
Re: (Score:2)
I'll second this, 2FA does *not* mean some third-party server, it means either TOTP (shared secret navigated through human-friendly 6 digit) or SMS (thankfully falling out of favor).
I suspect the people grousing are grousing because they fear what it may mean for continuous integration that pushes to the site. For which the correct answer is likely something like a public key, or if that's too onerous, an 'api key' (machine generated password that user doesn't get to control), or, if they want, the automat
Re: (Score:2)
Makes it harder to take down some accounts with leaked passwords but now introduces an infrastructure dependency on your 2FA provider.
If it's using the standardized TOTP, just save a copy of the QR code somewhere safe. It depends on zero infrastructure. Just use the QR code as the seed for your number generator and you can write your own software if you want to.
SMS is insecure anyway.
Node.js users are idiots anyway (Score:1)
I welcome such restrictions.
Can't tell you how many shit packages I have downloaded without having any meaningful control.