CFA stands for Continuous Factor Authentication. Its core goal is to enable the usage of two-factor authentication (2FA) for automated package publishing to improve the security of the Node.js ecosystem.

At Electron, we've been using semantic-release to automate the release of various @electron/ packages on npm. However, semantic-release requires you to use npm's auth-only 2FA level, meaning package publishing cannot behind two-factor authentication.

CFA solves this problem by providing a secure means to deliver a 2FA token to CI builds while keeping 2FA turned on for write operations such as npm publish.

How does it work?

In a typical 2FA model, there is "something you know" and "something you have". For npm 2FA, which relies on time-based one-time passwords (TOTPs):

• You know your npm auth token

• You have the TOTP generator

At a high level, CFA is just a proxy for the existing 2FA process. It safely mediates a connection between a given CI build and you by validating the CI build through both a CFA token and by forcing the CI build to "prove" it is actually asking for a token.

If you want to understand how the "prove it" part of that flow works, there is a Flow Diagram in the CFA repository that explains how it works.

Is it completely automated?

CFA is 99% automated. The final step of giving a CI build a 2FA token requires human interaction by design. CFA never wants to know your 2FA secret—that should be something you keep control of and protect as much as you can. When CFA is happy with a CI build, we will use whichever Responder you configured to ask you (the human) for a Tting OTP.