Thanks for the question! npm is moving away from TOTP primarily due to security concerns and not because of any preference toward proprietary or “closed” systems.
TOTP codes can be phished or intercepted, especially during targeted supply-chain attacks. Attackers can trick users into entering their one-time codes on fake sites, or capture them in real time and immediately reuse them. For a large package ecosystem like npm, this risk is significant because account compromise can lead to widespread malicious package publication.
FIDO/WebAuthn-based 2FA provides strong protection against these attacks. These methods are phishing-resistant, since authentication is bound to the legitimate domain and the private key never leaves the user’s device. This is why many ecosystems (npm, GitHub, Google, GitLab, etc.) are standardizing around them.
Regarding accessibility:
WebAuthn support has expanded widely — Linux distributions and Firefox do support hardware keys and WebAuthn flows, but some setups may require additional configuration. npm is continuing to improve support and documentation for these environments.
To summarize:
Why phase out TOTP? It’s still better than nothing, but it’s vulnerable to phishing and real-time interception.
Why WebAuthn/FIDO? They are phishing-resistant, more secure for a large software registry, and now broadly supported across platforms.
Accessibility? The shift isn’t intended to exclude users; compatibility on Linux and open-source browsers is supported and continually improving.
Hope this helps clarify the reasoning behind the transition!