# What is CFA? {% hint style="danger" %} **In light of** [**planned changes to npm token management**](https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/) **announced by GitHub, the Electron team has decided to deprecate the Continuous Factor Authentication project.** **We recommend migrating your projects to** [**Trusted publishing for npm packages**](https://docs.npmjs.com/trusted-publishers)**.** {% endhint %} CFA stands for Continuous Factor Authentication. Its core goal is to enable the usage of two-factor authentication (2FA) for automated package publishing to improve the security of the Node.js ecosystem. At Electron, we've been using [semantic-release](https://github.com/semantic-release/semantic-release) to automate the release of various `@electron/` packages on npm. However, [semantic-release requires you to use npm's `auth-only` 2FA level](https://semantic-release.gitbook.io/semantic-release/usage/ci-configuration#authentication-for-plugins), meaning package publishing cannot behind two-factor authentication. CFA solves this problem by providing a secure means to deliver a 2FA token to CI builds while keeping 2FA turned on for write operations such as `npm publish`. ### How does it work? In a typical [2FA model](https://en.wikipedia.org/wiki/Multi-factor_authentication), there is **"something you know"** and **"something you have".** For [npm 2FA](https://docs.npmjs.com/configuring-two-factor-authentication), which relies on time-based one-time passwords (TOTPs): * You **know** your npm auth token * You **have** the TOTP generator At a high level, CFA is just a proxy for the existing 2FA process. It safely mediates a connection between a given CI build and you by validating the CI build through both a CFA token and by forcing the CI build to "prove" it is actually asking for a token. If you want to understand how the "prove it" part of that flow works, there is a [Flow Diagram](https://github.com/continuousauth/web/blob/main/docs/proof-process.png) in the CFA repository that explains how it works. ### Is it completely automated? CFA is 99% automated. The final step of giving a CI build a 2FA token requires human interaction **by design**. CFA never wants to know your 2FA secret—that should be something you keep control of and protect as much as you can. When CFA is happy with a CI build, we will use whichever [Responder](https://docs.continuousauth.dev/usage/responders) you configured to ask you (the human) for a Tting OTP. ### --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.continuousauth.dev/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.