More information about team member and profile and check if 2FA is enabled


(Cristobal Dabed) #1

With the latest security issues regarding the malicious eslint packages that were breached resulting in all npm tokens being revoked.

It would be nice from a security perspective to be able to get profile information for the members in a team and check on wether they have 2FA enabled.

Eg. one could have a team profile command for getting information on a given user in the team e.g.:

$ npm team profile @team:developers get username --json
{
  "tfa": {
    "pending": false,
    "mode": "auth-and-writes"
  },
  ...
}

Or if that’s to much hassle just list users that have 2FA enabled by adding an extra argument to the team ls command e.g.:

$ npm team ls --tfa @team:developer
[
  "username1",
  "username2",
  ...
]

Then one could diff with the result list from the std. npm team ls command, and extract those who do not have 2FA enabled by default. From a security perspective this would be nice to have so we can internally in our organization and npm team ensure that our users have 2FA enabled.

We have some special users for CI, which we would exclude but here we would use npm tokens with the –cidr option. But for the rest of our npm team users we would like notify them until they have 2FA enabled :smile: :sunglasses: