Announcement: 2FA now required for PyPI

Hello,

As previously announced, PyPI now requires a form of Two-factor Authentication (2FA) for all users.

Today’s blog post contains more details.

Thank you for your continued efforts to make PyPI more secure for everyone.

From the post:

It’s January 1st, 2024, and PyPI now requires Two-factor authentication (2FA) for all users.

Initially I was confused because I didn’t see where in the announcement it explained how to do this.

It turns out that such documentation is at the link in this opening sentence. In case it wasn’t clear from others.

So the first thing I notice is that apparently I should research a bunch of authentication applications I’m not familiar with, and choose one. Okay, fine, I’m on a Linux desktop, so presumably I want one of the ones at the bottom, I don’t even mind compiling something. But even those options look, from their promotional material, like they’re oriented towards use on a smartphone. I don’t own one of those.

Reading a bit further, I find:

Note: If you lose your authentication application and can no longer log in, you may permanently lose access to your account. You should generate and securely store recovery codes to regain access in that event…

We recommend that all PyPI users set up at least two supported two-factor authentication methods and provision recovery codes.

But also:

For security reasons, PyPI only allows you to set up one application per account.

So I assume that this means I am expected to set up one auth application and then one “security device”, which seems to mean exclusively hardware solutions like Yubikey. A lot of people don’t already own anything like that; I personally am not very interested in spending money (at least $25 USD, and prices are quoted at me in USD even though the site detects that I live in Canada) for proprietary hardware from the manufacturer’s own site, just for something like this. (Well, Google at least quotes me a price in CAD, and Thetis seems to have a sale on at the moment.) Or some other options, but I’m pretty sure I don’t have any of them, and they seem to require a fair bit of research.

On the other hand, it doesn’t appear that 2FA is involved in the process of authenticating with an API token, which allows for uploading packages. And it’s not immediately clear why I should need to be logged in via the HTML interface; I can apparently still upload packages programmatically, and I can browse package listings while logged out.

This part is also unclear to me:

To set up 2FA with an authentication application: … Log in to your PyPI account, go to your account settings, and choose “Add 2FA with authentication application”
…
Next time you log in to PyPI you’ll need to:

Suppose I’m currently not logged in. Does “next time” mean after setting up 2FA, or will it be part of the login flow already? In the former case, what exactly happens if I don’t choose to set up a 2FA method? In the latter case, how can I use the authentication application if I haven’t added it to the account yet?

you could look into oathtool, I think. I haven’t tried it because I do
have a TOTP app on my phone - and as you’ve noted “we can have only
one”, but it’s packaged for several distros and should be usable.

I wouldn’t say “should” as much as “it’s recommend” that you have two ways to get a 2FA code. This can also be 2 hardware keys. But if you just set up TOTP on an app then you can if you’re comfortable w/ that.

But you have to log in to generate that token to begin with.

I believe after. Think of it like when you’re forced to reset a password: log in normally, and then you’re asked to update. Until it’s done the login flow will just keep asking you to set up 2FA.

Have my existing tokens been invalidated? I can’t recall having to generate a new one for each upload or anything like that.

Probably not as that would break a ton of people w/o adding better security if tokens are supported (if you leak a token then 2FA won’t help anyway).

On Help · PyPI, I read

“API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI.”

Is that still true, or are they the only way now that 2FA is required? Is username + password still possible somehow?

That help text is out of date; the only ways to upload a package to PyPI are now API tokens or Trusted Publishing (which uses short-lived API tokens internally).

I’ll send a PR to update the help page in a moment.

Ok, thank you. I guess that twine documentation needs to be updated too, and potentially its UI – if the username must now always be __token__ on PyPI, it might be good to avoid asking a username at all when the index is PyPI, and ask “Token:” instead of “Password:”?

t now always be __token__ on PyPI, it might be good to avoid asking a username at all when the index is PyPI, and ask “Token:” instead of “Password:”?

Yes, this makes sense to me! twine isn’t maintained by the same set of people as PyPI itself, but I’ll file an issue with them to see about coordinating changes here.

Fixes to PyPI’s help page are here: warehouse/help: fixup API token guidance by woodruffw · Pull Request #15130 · pypi/warehouse · GitHub

I left a comment on Use API tokens by default for PyPI · Issue #561 · pypa/twine · GitHub.

Cool, I missed that issue entirely. I’ll follow up there!

Just to tie a knot here: twine has merged the refinements for the mandatory 2FA case: twine: use API tokens by default on PyPI by woodruffw · Pull Request #1040 · pypa/twine · GitHub