The move was announced Tuesday along with a handful of other features meant to combine enhanced security with usability for the GitHub-owned package manager.
In a blog post, GitHub said that the changes would make it easier for users to secure their accounts, while also streamlining some security features that users had found burdensome.
Besides the ability to connect Twitter and GitHub accounts as an authentication method, GitHub also announced that the use of two-factor authentication (2FA) for login and package publishing on NPM would be made easier.
Per the blog post, NPM had previously trialed the use of enhanced 2FA logins in a public beta release, but after feedback from the community, decided that certain features should be tweaked in order to be more user-friendly. This included adding a “remember me for 5 minutes” option so that users who successfully authenticated could disable 2FA prompts for a short period of time.
“Account security is significantly improved by adopting 2FA, but if the experience adds too much friction, we can’t expect customers to adopt it,” Borins and Mohan wrote. “Early adopters of our new 2FA experience shared feedback around the process of logging in and publishing with the npm CLI, and we recognized there was room for improvement.”
The improved security features are being made available in NPM 8.15.0, released July 26th, the post said.
NPM’s parent company, GitHub, is also working to improve security on the larger code-hosting platform: earlier this year, the company announced that all users who contribute code would need to have some form of 2FA enabled by the end of 2023.