# What is CFA?

{% hint style="danger" %}
**In light of** [**planned changes to npm token management**](https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/) **announced by GitHub, the Electron team has decided to deprecate the Continuous Factor Authentication project.**

**We recommend migrating your projects to** [**Trusted publishing for npm packages**](https://docs.npmjs.com/trusted-publishers)**.**
{% endhint %}

CFA stands for Continuous Factor Authentication.  Its core goal is to enable the usage of two-factor authentication (2FA) for automated package publishing to improve the security of the Node.js ecosystem.

At Electron, we've been using [semantic-release](https://github.com/semantic-release/semantic-release) to automate the release of various `@electron/` packages on npm. However, [semantic-release requires you to use npm's `auth-only` 2FA level](https://semantic-release.gitbook.io/semantic-release/usage/ci-configuration#authentication-for-plugins), meaning package publishing cannot behind two-factor authentication.

CFA solves this problem by providing a secure means to deliver a 2FA token to CI builds while keeping 2FA turned on for write operations such as `npm publish`.

### How does it work?

In a typical [2FA model](https://en.wikipedia.org/wiki/Multi-factor_authentication), there is **"something you know"** and **"something you have".** For [npm 2FA](https://docs.npmjs.com/configuring-two-factor-authentication), which relies on time-based one-time passwords (TOTPs):

* You **know** your npm auth token
* You **have** the TOTP generator

At a high level, CFA is just a proxy for the existing 2FA process. It safely mediates a connection between a given CI build and you by validating the CI build through both a CFA token and by forcing the CI build to "prove" it is actually asking for a token.

If you want to understand how the "prove it" part of that flow works, there is a [Flow Diagram](https://github.com/continuousauth/web/blob/main/docs/proof-process.png) in the CFA repository that explains how it works.

### Is it completely automated?

CFA is 99% automated. The final step of giving a CI build a 2FA token requires human interaction **by design**. CFA never wants to know your 2FA secret—that should be something you keep control of and protect as much as you can.  When CFA is happy with a CI build, we will use whichever [Responder](https://docs.continuousauth.dev/usage/responders) you configured to ask you (the human) for a Tting OTP.

###