[docs] Update 2FA requirements for package publishing in user account setup

shmam · shmam · commit 6b84429e486a · 2025-11-24T13:20:56.000-05:00
diff --git a/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx b/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx
@@ -20,6 +20,16 @@ When you enable 2FA, you will be prompted for a second form of authentication be
 
 </Note>
 
+<Note variant="warning">
+
+**Important:** Publishing packages to npm now requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][granular-tokens] (for CI/CD workflows)
+
+For more information, see "[Requiring 2FA for package publishing][pkg-2fa]."
+
+</Note>
+
 ## Two-factor authentication on npm
 
 Two-factor authentication on npm can be enabled for authorization and writes, or authorization only.
@@ -63,6 +73,7 @@ If you enable 2FA for authorization only. We will request a second form of authe
 [token-create]: https://docs.npmjs.com/cli/token
 [token-revoke]: https://docs.npmjs.com/cli/token
 [publish]: https://docs.npmjs.com/cli/publish
+[granular-tokens]: /creating-and-viewing-access-tokens
 [unpublish]: https://docs.npmjs.com/cli/unpublish
 [deprecate]: https://docs.npmjs.com/cli/deprecate
 [access]: https://docs.npmjs.com/cli/access
diff --git a/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx b/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx
@@ -6,6 +6,16 @@ import shared from '~/shared.js'
 
 You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn].
 
+<Note variant="warning">
+
+**Important:** Publishing packages to npm now requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][creating-token] (for CI/CD workflows)
+
+If you plan to publish packages, you must enable 2FA or use a bypass 2FA token.
+
+</Note>
+
 ## Prerequisites
 
 Before you enable 2FA on your npm user account, you must:
@@ -193,6 +203,7 @@ The Twitter or GitHub account is now linked to your npm account. To remove the l
 [can-i-use]: https://caniuse.com/#search=webauthn
 [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code
 [webauthn]: https://webauthn.guide/
+[creating-token]: /creating-and-viewing-access-tokens
 [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
 [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0
 [touch-id]: https://support.apple.com/en-gb/HT204587
