PyPI account recovery process triaging on halt

Hello,

I’ve crashed my phone in early October and I lost my 2FA codes and access to PyPI.

So I added an issue in Issues · pypi/support · GitHub but it’s been now over 3 months and I have not seen any activity in the issue tracker since late September of last year - the issue tracker mentions that it can take a while but it’s been on full halt for almost 4 months at this point.

That has put an halt of any updates of my projects on PyPI, which is annoying to me, but not the end of the world (unless a security issue appears in one of my projects or dependency).

With the recent announcement of making 2FA mandatory, I suspect the frequency of those issues will grow.

So I would like to know how we can improve this process? I am willing to volunteer in triaging bugs or anything that could free some time.

It looks like this particular task is dependent on one or two humans.

On a side note, Github have some interesting approaches to automate this reset process:

Thanks
Tarek

3 Likes

Previous discussion: Is PEP 541 still the correct solution?

1 Like

as a follow up question: how many volunteers are currently able to do the 2FA triaging+resolution ?
looking at the tracker it seems to be a single person

Thanks @jeanas welp does that mean that if I am locked out for a long period, I could lose all my projects? :confused:

And you did not save the 2FA recover codes somewhere secure?

The heads up for other people is make sure you have all your 2FA recovery codes backed up securely.

1 Like

My backup was corrupted. If I had them, I would be able to unlock the account. I assume that the majority of people adding an issue are in the same case.

1 Like

Most services I interact with that started requiring 2FA very
quickly also added a “reset your 2FA by E-mail confirmation” or
similar feature after getting inundated with support requests from
users whose fallback key backups were corrupted (or more likely just
disregarded the big bold text that said to back them up).

Does this basically gut the additional security gains from requiring
2FA? Maybe. But few organizations want to pay people to be
pass^H^H^H^Hkey reset monkeys, and practicality beats security
pretty much everywhere I look.

3 Likes

This. This right here. I save my 2FA recovery codes into a completely independent system on one of my servers, unrelated to where I keep my actual 2FA secrets, so that - in a worst case scenario - the odds of both being lost simultaneously are vanishingly low.

1 Like

I usually save everything in my Bitwarden account, but I did not for this one, I don’t recall why. I also started to use a yubikey for most 2FA and failed to make it work for PyPI I don’t recall the details. I did not try too hard then.

Call me old-fashioned, but I don’t store my MFA backup codes to anything important on my machine, or in Bitwarden—instead, I print them on dead trees and store them in my safe, and that of a trusted relative who lives a long ways away. I also have at least ≈3 U2F keys for any given account (out of my 2 Titans and 2 modern-ish Yubikeys), one in my wallet, one in my backpack and 2 in my safe, or if not possible a U2F key and a TOTP key in an encrypted Aegis vault on my phone. Took an hour or two to set up for everything that really mattered, but it’s been a lifesaver and a huge boon to my peace of mind ever since.

5 Likes

Sounds like good practices. I would also love to hear from the project maintainers about how to improve the process. I would love to volunteer and help but I had no answer on any channel.

1 Like

Well, I’m guessing that PyPI folks will only give this kind of access to people who already have a track record of contributions to Warehouse. Which is understandable, given how much power being able to transfer projects gives you on PyPI.

In other words, I’m not surprised you didn’t get responses to “how do I go from now to being able to handle these requests”, because I don’t think there’s any process for that which doesn’t start with “you’re already a familiar face”.

@tarekziade I hope you don’t mind, I edited the title of this thread to include “PyPI” (in the hope it attracts attention from the people who have control over PyPI and this kind of things).

Sure, yeah. But if the list of volunteers that can do something about this don’t, the problem is not going away. I found issues about that problem from 2020.

1 Like

Thanks a lot @sinoroc

This is an ongoing issue in the whole of packaging. Volunteer resource is incredibly limited, and trust requirements are extremely high, meaning that adding new volunteer resource is extremely difficult (mentoring potential new contributors is another thing the existing volunteers don’t have time to do :slightly_frowning_face:). The growth in both the amount and the importance of packaging activity has far outstripped our ability to do anything about it, unfortunately. And while some sort of funded work to get us out of this situation is potentially a solution, funding simply doesn’t seem to be available - and I’m not sure there’s anyone able to manage any funding that did get offered (much less go actively looking for funding).

I don’t know what the solution is here, but I do fear we’re rapidly reaching a crisis point in Python packaging :frowning_face:

4 Likes

yeah that’s unfortunate… I am not sure what’s the best course of action. I think it’s also a matter of picking priorities and trust in that project.

priorities: since PyPI is supposed to serve the community, I think it would be fair to help people that had projects for decades on PyPI since 2FA is a new requirement, and not just say that they should have been careful and it’s on them.

trust: I find it quite alarming that there’s only one or two single person on earth able to deal with this and not willing or able to delegate that task – and overwhelmed by it.

2 Likes

It’s not that we’re not willing to delegate the task, it’s more that the task requires a high level of trust, and most of the people who we already trust are equally as busy or not interested in taking on that additional role.

I think (but I could be wrong), one of the goals with some of the sustainability work wrt paid features on PyPI has been to have PyPI start generating revenue which we could use, in part, to hire someone whose explicit role is to manage support issues like this.

3 Likes

I am curious to understand what is your criteria for “high level of trust”. Is it because you have to ssh to prod to query the database? can’t this be isolated via dumps/syncs?

Technically, I am still a Python core dev even if I don’t contribute much these days, and you know me.
I am volunteering to do triaging 2h per week-end until all bugs are triaged.

On a side note, I consider that this specific task is part of the 2FA feature. So making 2FA mandatory on PyPI with no guarantee that people can recover their locked account, sounds like a problem.

Example of one developer that has been waiting for a long time trying to fix a TOTP issue:

Cheers

6 Likes

This is recurring difficulty with important open source projects.

Xkcd https://xkcd.com/2347/