| ▲ | arewethereyeta 5 days ago |
| 2FA for such high profile packages should be enforced |
|
| ▲ | jsheard 5 days ago | parent | next [-] |
| It is, if your packages are popular enough then npm will force you to enable 2FA. They started doing that a few years ago. It clearly doesn't stop everything though, the big attack yesterday went through 2FA by tricking the author into doing a "2FA reset". |
| |
| ▲ | diggan 5 days ago | parent | next [-] | | > It is, if your packages are popular enough then npm will force you to enable 2FA. Are they actively forcing it? I've received the "Remember to enable 2FA" email notifications from NPM since 2022 I think, but haven't bothered since I'm not longer publishing packages/updates. Besides, the email conveniently mentions their "automation" tokens as well, which when used for publishing updates, bypasses 2FA fully. | | | |
| ▲ | frizlab 5 days ago | parent | prev [-] | | Passkeys should be enforced | | |
| ▲ | smw 5 days ago | parent | next [-] | | Parent is exactly right! For critical infrastructure an un-phishable 2fa mechanism like passkeys or hardware token (FIDO2/yubikey) should be required! It would remove this category of attack completely. | |
| ▲ | frizlab 5 days ago | parent | prev [-] | | I take the downvote but I’d like to know why? Passkeys are effectively and objectively a better security solution than password+2FA. Among other things, they are completely unfishable. | | |
| ▲ | cesarb 5 days ago | parent [-] | | > Among other things, they are completely unfishable. From what I've heard, they're also unbackupable, and tied to the ecosystem used to create them (so if you started with an Apple desktop, you can't later migrate the passkeys to a Windows desktop, you have to go to every single site you've ever used and create new ones). | | |
| ▲ | smw 5 days ago | parent | next [-] | | You can't really backup hardware tokens, either? It's quite possible to use something like bitwarden/vaultwarden/1password as a password manager, and you can "backup" tokens quite easily without being tied to a particular mobile/desktop ecosystem. | |
| ▲ | yawaramin 4 days ago | parent | prev | next [-] | | You can just create a new passkey on the new device after logging in. It's a non-issue. | | |
| ▲ | 3eb7988a1663 4 days ago | parent [-] | | It is not a given that multiple services let you enroll multiple keys. How many year did it take before Amazon allowed multiple Yubikeys? Which means you are in a real pickle if you ever lose your one hardware device with keys (lost, stolen, bricked, whatever). | | |
| ▲ | yawaramin 4 days ago | parent [-] | | It's an incorrect implementation, the same as when eg an account provider truncates a long password to 8 characters. |
|
| |
| ▲ | frizlab 4 days ago | parent | prev [-] | | That’s not true anymore; you can migrate passkeys to another password manager now. |
|
|
|
|
|
| ▲ | skeeter2020 5 days ago | parent | prev | next [-] |
| for popular packages - and in this case - they are. This attack (and yesterday's) are relay attacks, with the attacker in the middle between npm and the target. |
|
| ▲ | koakuma-chan 5 days ago | parent | prev [-] |
| He would have entered 2FA too |
