Two Factor Authentication is Here!
Published on July 2, 2026 by Mariusz Czupryna


Lux v0.34.2聽

It's time for a new update post again! Lux has undergone many exciting changes and it's now speedier, more secure and more fully featured than ever.

This update brings a long-awaited feature that only recently got implemented by the luarocks.org site maintainers - 2FA. In this post we dissect how to set up 2FA in Lux and why it's important.

Why 2FA?


Over the past year there have been a plethora of attacks on popular package registries, especially npm.

These attacks hijack API tokens to impersonate authors of popular packages and inject packages used by millions of people with malware.

Because no registry is safe, the maintainers of luarocks.org have taken it upon themselves to implement two-factor authentication into their site. This means that every time you push a package, you need to supply an extra 6-digit code generated by an authenticator app like Aegis, Authy or any other TOTP application.

Setting up 2FA


We encourage absolutely everyone to set up 2FA on their account. Head over to https://luarocks.org/settings/two-factor-auth for instructions. Scan the QR code with your favourite authenticator app and congratulations, you're now protected against impersonation attacks!

Using 2FA in Lux


When uploading a package, open your authenticator app and grab the code. Then, simply add --tfa-code to your upload command:

lx upload --tfa-code "384562"

And voila, everything works just as it would earlier!

2FA in CI


If you're using a CI/CD engine that utilizes Lux for uploads, we have an alternative route for you.
When setting up 2FA on luarocks.org, copy the secret key shown under the QR code.

Next, set up an environment variable called LUAROCKS_2FA_SECRET and paste the secret key there - now Lux will automatically generate a 2FA code for you each time, no need to supply a key ever again!

NOTE: We only recommend doing this for CI environments. If the secret ever gets leaked, an attacker can impersonate and freely generate 2FA keys on your behalf. Be careful!

Extras


Apart from this highly anticipated feature, we've also implemented many other changes along the way:
1. Workspace support - Lux now supports multiple projects in the same folder (workspace)!
2. The Lux Lua API is now shipped with type definitions for rich LSP diagnostics.
3. lx fmt is now more predictable and can format individual files provided by the user instead of the entire project each time.
4. lx dist flat-archive is the first step towards making Lua projects trivial to package and distribute to others - all without them needing to clone or install a single thing.

Conclusion


We've been very excited to announce the recent changes to Lux with all of you! Lua continues to be a highly underrated language, even though it's used in numerous places. Let's give it the ecosystem it deserves. Cheers 馃嵒.