I tried logging in and got:
A login attempt was made from an unrecognized device.
To complete your login, please visit the following link from the same device from which you attempted to log in:
Log in · PyPI********
Get the email like above. and then it gives me
Error:
Session invalidated. I tried three times with 2-factor auth and even changed my password.
I’m also seeing
We noticed you are attempting to log in from a new or previously unrecognized device.
even though I’m on the same network and same device that I’ve logged in with last week.
However, the link in the email I (immediately) received works, and displays the friendly
Your login has been confirmed and this device is now recognized.
message.
Did you try clearing your browser’s cache, cookies, and other sticky things, already?
Edit: Hmm, the security history in my PyPI account looks a bit odd to me:
I can imagine that the 127.0.0.1 is not what’s intended to be shown. It isn’t useful information at least. Maybe it’s completely unrelated, but it just struck me as odd, so I figured it might relevant info 
. (Oh and don’t worry about me doxxing myself; this same info is publicly shown on my gh profile.)
I wondered if this was due to the latest version of Firefox this week (which logged me out of all my accounts). But I was able to log in after giving a TOTP code and clicking the confirmation link emailed to me.
With the Email_sent events, I also see:
127.0.0.1
No User-Agent
Perhaps there’s just no useful information in the logs that’s relevant for that column?
From the user’s POV, can that column entry show the browser header / finger print of request forwarded by the log-in attempt that triggered the email confirmation, so we can check they’re the same, and not automated by something else, not necessarily using PyPi’s front end? Or is it triggered on the back end, so such a Sent_Email security event will always be associated with an unrecognised log-in event?
