I was chatting about this with Ceej today and we may have an alternative and much easier to implement solution for you all:
Time-limited tokens. You could create an access token for the purposes of publication that does not require 2fa and is valid for the next 5 or 10 minutes. Then use that during the various publications.
Creating the token would require 2fa, but using it would not. And it would auto-delete itself after it times out.
This would be a great feature for monorepos managed through lerna and similar, since you’ll want to publish a potentially large number of packages, which might cause the 2FA to time out during the process.
I also requested a feature to enable 2FA on a package level; if this is implemented, it would be great if time-limited tokens could somehow be an exception to this rule. Basically; if I try to publish a single module using
npm publish, require me to verify my npm token with 2FA, but if I want to publish many packages, allow me to create a time-limited token using 2FA and publish all the packages with that token.