Modify 2FA docs based on review

karenjli · karenjli · commit 88e9a6eb81e5 · 2025-10-31T11:08:52.000-04:00
diff --git a/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx b/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx
@@ -50,7 +50,7 @@ If trusted publishing is not available for your CI/CD provider, you can create a
 - Set short expiration dates for tokens with bypass 2FA enabled
 - Consider using IP address restrictions to limit where the token can be used
 - Regularly audit and rotate tokens with bypass 2FA capabilities
-- **Prefer trusted publishing over bypass 2FA tokens when possible**
+- Use trusted publishing instead of bypass 2FA tokens whenever possible
 
 </Note>
 
diff --git a/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx b/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx
@@ -10,6 +10,16 @@ You may also choose to allow publishing with either two-factor authentication _o
 
 For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), which provides secure, token-free publishing that automatically enforces strong authentication without requiring manual token management.
 
+<Note>
+
+**Important notes about granular access tokens:**
+
+- **When bypass2FA is true**: The token will bypass all 2FA requirements at all times, regardless of account-level or package-level 2FA settings
+- **When bypass2FA is false (default)**: The system will check account-level and package-level settings to determine if 2FA is required
+- When "disallow tokens" is selected at the package level, granular access tokens cannot be used regardless of their bypass 2FA setting
+
+</Note>
+
 ## Configuring two-factor authentication
 
 1. <>{shared['user-login'].text}</>
@@ -36,17 +46,5 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w
 
 5. Click **Update Package Settings**.
 
-## Granular access token behavior with 2FA
-
-<Note>
-
-**Important notes about granular access tokens:**
-
-- **When Bypass2FA is true**: The token will bypass all 2FA requirements at all times, regardless of account-level or package-level 2FA settings
-- **When Bypass2FA is false (default)**: The system will check account-level and package-level settings to determine if 2FA is required
-- When "disallow tokens" is selected at the package level, granular access tokens cannot be used regardless of their bypass 2FA setting
-
-</Note>
-
 [config-2fa]: configuring-two-factor-authentication
 [creating-granular-access-token]: creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website
