Currently, as long as you're logged in, npm will not ask for password nor 2FA token for anything. You can change email, generate tokens, add/remove 2FA at will.