[vladvasiliu]

You don't need a phone to have multi-factor. You presumably have a PC if you're contributing to a package, so you can use a computer-based OTP generator, like Authy.

Sure, if your computer gets owned, it won't help, but it's still much better than nothing and practically free.

[franciscop]

What happens if tomorrow my laptop falls into the pool? Or gets stolen? I know the password of my password manager and my main emails, but for npm with 2FA I would either be:

- Locked out of npm because I don't have the 2FA key anymore

- Recover my 2FA with my email (which totally defeats the point of 2FA)

- Be asked for some gvmt ID to proof who I am (again a no-no)

[vladvasiliu]

Don't you routinely backup your laptop?

In case you don't, you can write down the seeds of the OTPs on a piece of paper. Which you leave at home or at a friend's house or similar. The principle being that you won't lose both your laptop and piece of paper at the same time.

edit: for a "good enough" approach you can probably store your 2FA codes in your password manager, for which you have, presumably, some kind of backup.