What is CFA?

CFA stands for Continuous Factor Authentication. It's core goal is to enable the usage of 2FA for automated package publishing to improve the security of the Node.js ecosystem.

How does it work?

At a high level CFA is just a proxy for 2FA, in a typical 2FA model there is "something you know" and "something you have". In the CFA model the "something you know" is still your NPM auth token, and the "something you have" is still the OTP generator. CFA just safely mediates a connection between the CI build and you by validating the CI build through both a CFA token and by forcing the CI build to "prove" it is actually asking for a token.

If you want to understand how the "prove it" part of that flow works there is a Flow Diagram in the CFA repository that explains how it works.

Is it completely automated?

CFA is 99% automated, the final step of giving a CI build a 2FA token requires human interaction by design. CFA never wants to know your 2FA secret, that should be something you keep control of and protect as much as you can. When CFA is happy with a CI build we will use whichever Responder you configured to ask you (the human) for an OTP.

‚Äč