Two-Factor Authentication

Two times the security. Twice as secure. Right? Well, that only matters if the base level of security is strong, to begin with. At Cloudsmith, security is one of our most paramount concerns. We utilize our collective years across different disciplines, such as financial technology and Internet startups, to apply this to package management. You can see this in the architectural DNA of the service, such as how we process packages away from the front-end, through the utilization of front-end security techniques, such as the use of Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), etc.

We provide support for two-factor authentication via a TOTP (Time-based One-time Password Algorithm) device, such as Google Authenticator, LastPass Authenticator, etc.:

Once you've completed enrolment (i.e. registration of your device with us), you will be challenged to authenticate via the device after social or password-based login. You do this by entering a 6-digit pin that your device presents. If you forget your 6-digit pin, we also offer a recovery service using disposable tokens.

If you're a member of an organization with "Owner" permissions, you can also force Enforce Enrolment of Two-Factor for everyone in the organization:

A flag that denotes 2fa within the organization members' list will tell you if the member has two-factor enabled or not:

If you enforce enrolment and a User hasn't yet enrolled, they will not be able to access any of the pages for the organization (e.g. they can't view or manipulate packages). If you are security conscious, please consider enabling this.