Yes, or at least the protection afforded by 2FA does not help to prevent that. I assume the hacker would need their username and password and then to be able to intercept a confirmation email from PyPI.
2 Likes
Or they “just” need to hijack the user’s email account, and ask for password reset. Which is exactly the kind of attack that 2FA protects against (assuming it’s enabled 
).
If you have maintainers on your projects that you are concerned about their status, you may remove them until such time you trust that the right person has control of their PyPI account with 2FA.
Thanks for the replies. For now it seems this has to be solved by projects on a case-by-base basis by contacting maintainers without 2FA enabled. This still begs the question of whether we can have a PyPI setting to make it mandatory at the project or organization level.
I guess the follow-up question is what “mandatory at the project or organization level” would look like.
It’s mandatory for new users already, so you’re asking about solving this specifically for accounts that existed before it became mandatory.
If making it mandatory for a specific project means no longer allowing those accounts to be able to perform actions for that project, then this is already possible, as it would be equivalent to the project owner removing them as collaborators and confirming with them later out-of-band that it’s safe to re-add them.
You’ve expressed concerns that if an account started out without MFA then you can’t necessarily trust that it was the account owner who configured MFA for it later, so any sort of automated reenabling of their control over the project would exceed your stated risk tolerance anyway. However, this is also exactly what happened for every user who already enabled it, so you might want to reach out to all of them if that’s really a worry you have.
Obviously a single project shouldn’t be able to disable a collaborator’s account globally, since that account might be used to collaborate on other projects with a higher tolerance for risk.
2 Likes
That’s a fair point. Then I guess a dedicated PyPI project option does not make much sense.
Perhaps some other action PyPI could take is gather all projects with some activity in the last N years and a maintainer with 2FA disabled, and e-mail all their maintainers to inform them of the risk? Most maintainers will not think about checking this otherwise (this only occurred to me by chance).
1 Like
I think that’s a really good idea! Warehouse has an umbrella issue for sending more emails: Send more emails · Issue #13234 · pypi/warehouse · GitHub – I’ll add it there 
Edit: Send more emails · Issue #13234 · pypi/warehouse · GitHub
2 Likes