Comment on page
What is CFA?
CFA stands for Continuous Factor Authentication. Its core goal is to enable the usage of two-factor authentication (2FA) for automated package publishing to improve the security of the Node.js ecosystem.
At Electron, we've been using semantic-release to automate the release of various
@electron/packages on npm. However, semantic-release requires you to use npm's
auth-only2FA level, meaning package publishing cannot behind two-factor authentication.
CFA solves this problem by providing a secure means to deliver a 2FA token to CI builds while keeping 2FA turned on for write operations such as
- You know your npm auth token
- You have the TOTP generator
At a high level, CFA is just a proxy for the existing 2FA process. It safely mediates a connection between a given CI build and you by validating the CI build through both a CFA token and by forcing the CI build to "prove" it is actually asking for a token.
CFA is 99% automated. The final step of giving a CI build a 2FA token requires human interaction by design. CFA never wants to know your 2FA secret—that should be something you keep control of and protect as much as you can. When CFA is happy with a CI build, we will use whichever Responder you configured to ask you (the human) for a Tting OTP.