diff --git a/lib/index.js b/lib/index.js
index 93fbcad..fe5cfd2 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -767,6 +767,11 @@ class Config {
     const nerfed = nerfDart(uri)
     const creds = {}
 
+    const deprecatedAuthWarning = [
+      '`_auth`, `_authToken`, `username` and `_password` must be scoped to a registry.',
+      'see `npm help npmrc` for more information.',
+    ].join(' ')
+
     const email = this.get(`${nerfed}:email`) || this.get('email')
     if (email) {
       creds.email = email
@@ -780,10 +785,13 @@ class Config {
       // cert/key may be used in conjunction with other credentials, thus no `return`
     }
 
-    const tokenReg = this.get(`${nerfed}:_authToken`) ||
-      nerfed === nerfDart(this.get('registry')) && this.get('_authToken')
+    const defaultToken = nerfDart(this.get('registry')) && this.get('_authToken')
+    const tokenReg = this.get(`${nerfed}:_authToken`) || defaultToken
 
     if (tokenReg) {
+      if (tokenReg === defaultToken) {
+        log.warn('config', deprecatedAuthWarning)
+      }
       creds.token = tokenReg
       return creds
     }
@@ -818,6 +826,7 @@ class Config {
     const userDef = this.get('username')
     const passDef = this.get('_password')
     if (userDef && passDef) {
+      log.warn('config', deprecatedAuthWarning)
       creds.username = userDef
       creds.password = Buffer.from(passDef, 'base64').toString('utf8')
       const auth = `${creds.username}:${creds.password}`
@@ -832,6 +841,7 @@ class Config {
       return creds
     }
 
+    log.warn('config', deprecatedAuthWarning)
     const authDecode = Buffer.from(auth, 'base64').toString('utf8')
     const authSplit = authDecode.split(':')
     creds.username = authSplit.shift()
diff --git a/test/index.js b/test/index.js
index 91f2318..e9149e8 100644
--- a/test/index.js
+++ b/test/index.js
@@ -1005,18 +1005,27 @@ t.test('nerfdart auths set at the top level into the registry', async t => {
       email,
     }],
     // handled invalid/legacy cases
-    'username, no _password': [`username=${username}`, {}],
-    '_password, no username': [`_password=${_password}`, {}],
+    'username, no _password': [`username=${username}`, {}, true],
+    '_password, no username': [`_password=${_password}`, {}, true],
     // de-nerfdart the email, if present in that way
     'nerf-darted email': [`//registry.npmjs.org/:email=${email}`, {
       email,
-    }],
+    }, true],
   }
 
+  const logs = []
+  const logHandler = (...args) => logs.push(args)
+  process.on('log', logHandler)
+  t.teardown(() => {
+    process.removeListener('log', logHandler)
+  })
   const cwd = process.cwd()
-  for (const [name, [ini, expect]] of Object.entries(cases)) {
+  for (const [name, [ini, expect, noWarn]] of Object.entries(cases)) {
     t.test(name, async t => {
-      t.teardown(() => process.chdir(cwd))
+      t.teardown(() => {
+        process.chdir(cwd)
+        logs.length = 0
+      })
       const path = t.testdir({
         '.npmrc': ini,
         'package.json': JSON.stringify({}),
@@ -1041,6 +1050,10 @@ t.test('nerfdart auths set at the top level into the registry', async t => {
       const c = new Config(opts)
       await c.load()
       t.same(c.list[3], expect)
+      if (!noWarn) {
+        t.equal(logs.length, 1, 'logged 1 message')
+        t.match(logs[0], /must be scoped to a registry/, 'logged auth warning')
+      }
     })
   }
 })