GitHub introduces in NPM compulsory extended verification of accounts

In connection with the frequent cases of capturing the repositors of large projects and the promotion of malicious code through the compromise of developer accounts, Github extended verification accounts. Extended verification implies the need to enter a disposable code sent to Email when attempting to log in to NPMJS.com or perform an authenticated operation in the NPM utility.

Extended verification does not replace, but only complements the previously available optional two-factor authentication at which confirmation is required using disposable passwords (TOTP). When you turn on two-factor authentication, extended email verification is not applicable. Starting on February 1, 2022, the process of transferring to mandatory two-factor authentication of the accompanying 100 most popular NPM packets that have the greatest number of dependencies will begin. After completing the migration of the first hundred, the change will be distributed to the 500 most popular NPM packet dependencies.

In addition to the currently available diagrams of two-factor authentication based applications for generating disposable passwords (Authy, Google Authenticator, Freeotp, Authy, Google Authenticator, etc.) in April 2022, you plan to add the ability to use hardware keys and biometric scanners, For which there is support for the WebAuthn protocol, as well as the possibility of registering and managing various additional authentication factors.

Recall that in accordance with the study conducted in 2020, only 9.27% ​​of the maintenance of packages use two-factor authentication to protect access, and at 13.37% of cases, when registering new accounts, the developers tried to reuse compromised passwords in well-known password leaks. During the verification of the reliability of the passwords used, it was possible to access 12% of the accounts in NPM (13% of packages) due to the use of predictable and trivial passwords, such as “123456”. There were 4 user accounts from the Top20 most popular packages, 13 accounts, whose packages were loaded more than 50 million times a month, 40 – more than 10 million downloads per month and 282 with more than 1 million downloads per month. Taking into account the loading of modules on the dependency chain, the compromise of unreliable accounts could strike in the amount of up to 52% of all modules in NPM.

/Media reports.