> it's clear that the current 2FA approach isn't good enough. I don't know how to improve on it

USE PASSKEYS. Passkeys are phishing-resistant MFA, which has been a US govt directive for agencies and suppliers for three years now[1]. There is no excuse for infrastructure as critical as NPM to still be allowing TOTP for MFA.

[1]https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-0...

▲

cuu508 4 days ago | parent | next [-]

Use WebAuthn as the second factor. Passkeys are a single factor authentication, and a downgrade from password+WebAuthn.

▲

parliament32 4 days ago | parent [-]

Depends on where you store them. If they're in TPM (like WHFB) it's two-factor (because you need the TPM itself, something you have, and PIN or biometric to unlock it, something you know/are). But if you're just loading keys into a software password manager, yes, it's single factor.

	▲	int_19h 2 days ago \| parent [-]
		At this point, we have passkey support integrated in both major desktop OSes (Windows, macOS) and both major mobile OSes (Android, iOS). All of them require both the physical device and either PIN or biometric unlock.

▲

smw 5 days ago | parent | prev | next [-]

This is the way! Passkeys or FIDO2 (yubikey) should be required for supply chain critical missions like this.

▲

FreakLegion 4 days ago | parent | prev [-]

Yes, use FIDO, you'll be better off, but no, passkeys aren't immune to account takeover. E.g. not only does GitHub support OAuth apps, it supports device code flow, and thus: https://www.praetorian.com/blog/introducing-github-device-co....