Are there downsides to doing this? This was my first thought - though I also recognize that first thoughts are often naive.
replyYou don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.
replyTOTP although venerable was better than no second factor at all.
replyTOTP isn't phishing resistant
replyNo it's not but it's better than nothing. Don't let the perfect be the enemy of the good.
replyTOTP seems effectively useless for npm so that seems fine to me
reply