PyPI security work: multifactor auth progress & help needed

To quote the blog post:

To further increase the security of Python package downloads, we’re adding a new beta feature to the Python Package Index: WebAuthn support for U2F compatible hardware security keys as a two-factor authentication (2FA) login security method. This is thanks to a grant from the Open Technology Fund, coordinated by the Packaging Working Group of the Python Software Foundation.

Starting today, PyPI also supports (in beta) WebAuthn (U2F compatible) security keys for a second login factor. A security key (also known as a universal second factor, or U2F compatible key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any FIDO U2F compatible key and follows the WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in. (This feature requires JavaScript.)

a screenshot of the 2FA setup screen, with documentation and a place to name your key

We need your help testing this while it’s in beta. Later this week I’ll publicize it to some more communities, and then in maybe 10 days, assuming we can quickly fix all the urgent bugs we find, we’ll remove the “beta” badge.

During this testing period, if things go awry, there’s a chance we will need to wipe tokens from users’ accounts, so if you choose to try it, please be forewarned. That’s why you have to have a PyPI-verified email address on your user account before trying the feature, to make potential account recovery smoother.

Thanks to the Open Technology Fund for funding this work. The list of our progress reports is at the Packaging Working Group’s wiki page.

1 Like

Thanks for the regular updates @sumanah!

Is anyone giving out USB-A WebAuthn keys? I don’t have one and it’d be nice to be able to secure pip’s PyPI package with 2FA instead of, like, just my password.

Use TOTP on your phone. Like FreeOTP+

Summary: In June, to use different people’s time well, we parallelized our work a bit. The multifactor auth task within Milestone 1, Security Feature Development is getting a lot closer to done – we shipped the beta of WebAuthn support and are actively seeking out test subjects and fixing bugs based on their input – but we also started work on API keys and on accessibility.

2FA: Users can now use U2F keys to better secure their accounts! Yay WebAuthn! As the beta proceeds (and thanks to @nlhkabu for the beta badge and FAQ), we’ve been fixing issues – the funded contractors @nlhkabu and @woodruffw, as well as @EWDurbin at the PSF with review help from @dustin and @dstufft, so thanks to them and to the folks who filed issues! Some 2FA improvements from the past month:

Testing: @nlhkabu and I have been seeking out users from a variety of backgrounds during the beta. I’ve been asking package maintainers to test the beta and file issues. She’s started a fresh round of user tests with more novice Python users to validate our current 2FA design, and has started collating responses to turn into GitHub issues.

Accessibility: Also last month, @woodruffw audited Warehouse’s accessibility. We’re actually a lot more solid there than I worried we’d be! A lot of credit there is due to @nlhkabu, who committed our current accessibility guidelines for developers three years ago yesterday. But we still found things to fix, and started to address them through both research and implementation (annotating the search form correctly, increasing link visibility, fixing a tabindex).

API keys: We had a chat to make some design decisions on scoped API keys, and Will’s made substantial progress on a work-in-progress PR (not ready for review yet). To quote Will’s summary:

We’re going to work with macaroons from the very beginning, and not go with dumb API keys as I proposed above…

In order to minimize the amount of time spent on implementation, I intend to deliver a [proof of concept] version without constraints or a caveat language. This deliverable will meet the requirements of the [Statement of Work] (allowing users to replace their username/password with a single token for upload only), and will serve as the foundation for future iterations. Upload-only enforcement will be handled by route whitelisting and a version identifier within the macaroon, preventing future iterations from inadvertently creating “god” tokens.

And, as project manager, I led a planning meeting, coordinated volunteers and contractors for testing, code contribution, security design review and code review, reached out to external communities for further testing, planned issues and milestones for upcoming grant-funded work, reviewed pull requests, triaged feature requests that are out of scope, and added documentation.

Thanks to volunteers ppiyakk2, @trishankatdatadog, robindboer, @yeraydiazdiaz, @alex_Gaynor, minho42, @dustin, and @dstufft in particular for writing & reviewing Warehouse code in the past few weeks! (Including fixes to email validation, window scrolling, the 2FA token form field, and Docker image cleaning.)

Next: In July we aim to finish this round of user tests, fix resulting bugs, and declare WebAuthn support out of beta, and thus complete the MFA task within Milestone 1. We also aim in July to make further progress on accessibility, and on API keys, but I don’t know whether either of those will be complete in July.

Please help us out:

Sorry that this was for a month rather than a fortnight; next summary update will be in more like 2 weeks.

Thanks to Open Tech Fund for their support for the PyPI & Warehouse work!

@sumanah It was a pleasure hacking on Warehouse with friends and yourself! Let me know how else I can help…

1 Like

Summary: In the last two weeks, we’ve made major progress on the multifactor auth milestone and substantial progress on accessibility. Adventurous developers can test out user-scoped and project-scoped API keys for Warehouse right now, and PyPI and Test PyPI are already more accessible.

(@nlhkabu and @woodruffw have been collaborating on all this.)

2FA: Our WebAuthn/U2F key support for two-factor auth is still in beta. That’s partly because Nicole ran several user tests and found user experience confusion that she’s now fixed. And it’s because we still need to fix an Edge issue, a Chrome issue, and an accessibility issue. I am looking forward to sending the “out of beta!” mail to the announcement list but I don’t have an estimate.

Also, check out the new FAQ: we now “Allow anonymous WebAuthn attestation”: “allows users to use TouchID and other methods that don’t use separate public keys.” Thanks, Will!

Uploading to PyPI with an API key: Will’s pull request is ready for you to test it, if you’re adventurous and you’re comfortable setting up a Warehouse developer environment on your computer! In case you haven’t tested this kind of feature locally before, here’s how.

Accessibility: Check out the milestone! Nicole’s already fixed several issues so our sites are already friendlier to people who use screenreaders, and to color-blind and color-impaired users.

Also a shout-out to Nicole for fixing this image rendering issue.

Next up: finishing up the WebAuthn beta, improving the upload API keys feature to the point where we can release it as a beta on both PyPI sites, and finishing up the accessibility milestone. We still have some security work to come, specifically the audit log. And then the localization work.

Thanks to volunteers @gpshead, @EWDurbin, @dstufft, @dustin, @alex_Gaynor, sayanarijit, and @yeraydiazdiaz in particular for writing and reviewing Warehouse code in the past two weeks!

Please help us out: please spread the word in your work and developer circles that two-factor auth is available on PyPI. Lots of people don’t know yet! Example:

Thanks again to the Open Technology Fund for making this work possible!

2 Likes

I saw that Tidelift mentioned this thread saying we’d listed some 2FA improvement GitHub issues that need help. So here are two:

Also, hey package maintainers & owners: what should owners be able to see in an audit log that maintainers shouldn’t be able to see? We’re working on that feature pretty soon.

You can now use API tokens to upload packages to PyPI and Test PyPI! Warning that this is a beta feature. More details on the wiki and PyPI’s help section.

This is a first step to enforcing that Users with Two-Factor Authentication enabled will require API Tokens to upload, rather than just their password sans second factor.

Once the beta period for API Tokens is complete, we will notify parties with Two-Factor Authentication enabled that uploads for their projects will require API Tokens. After a suitable waiting period we will then begin to enforce this restriction and include a notice in the error message returned to clients.

Please do test this while it’s in beta. Lead developer William Woodruff says, “Our current auth-policy is drop-in compatible with Twine and distutils. When using a token, your “username” will be @token and your “password” will be the token itself.” So, if your token is pypi:Ab9GpH-H5y your command will be:

twine upload --repository-url https://test.pypi.org/legacy/  -u @token -p pypi:Ab9GpH-H5y dist/*

(but actual tokens are 160+ characters long).

API tokens also support scoping! To ensure that your newly created tokens only contain the minimum permissions they require, make sure to select the package you’d like to use them with on the creation page. By default, newly created tokens will have “user” scope, meaning that they’ll behave exactly like your password. Once created, the permissions associated with a token cannot change, the token can only be revoked.

We’d particularly like testing from:

  • Orgs that automate uploads using continuous integration
  • People who save PyPI credentials in a .pypirc file
  • Windows users
  • People on mobile devices
  • People on very slow connections
  • Organizations where users share an auth token within a group
  • 4+ maintainers or owners for one project
  • Use an unusual TOTP app or U2F token
  • Usually block cookies and JavaScript (note that you can’t set up a U2F key without JavaScript)
  • Maintain 20+ projects
  • Created PyPI account 6+ years ago
5 Likes

Worked for me. I put the token in ~/.pypirc and uploaded a new release of cryptacular. I like it.

:white_check_mark: 20+ projects
:white_check_mark: PyPI account is old as dirt
:white_check_mark: .pypirc

2 Likes

Are there plans to change this default so that using such a strong token is not the default so that people have to opt into it? (I’m no security expert so this is more inquisitive.)

1 Like

I tried to make a a beta release for geck… and realized I had just pasted my other api token, whoops.

Now I have the correct one and everything works great :+1: Excellent job everyone!

Great question @brettcannon - I filed an issue to follow up.

Thanks to everyone who’s been testing the new feature!

2 Likes

Uploaded a pet project with flit. Works great; just need to set FLIT_USERNAME and FLIT_PASSWORD envs variables, and Token with single project scope.

  • People who save PyPI credentials in a .pypirc file
  • Maintain 20+ projects (but only tried 1 project so far)

Try also to modify the token or the username and the upload was (almost) corectly refused with non-cryptic error messages. :+1:

1 Like

:white_check_mark: Orgs that automate uploads using continuous integration

Deployed fine to Test PyPI and production PyPI from Travis CI with API tokens scoped to a single project. Created the API token and encrypted with travis encrypt "pypi:A..."

One gotcha: if deploying to both Test PyPI and PyPI, remember to create an individual API token on both servers!

2 Likes

I have a feature request of this: Please make it possible to scope the token to multiple projects.

The reason for this: I have a project (PyObjC) that generates multiple distributions on PyPI, which currently requires either a user-scoped token, or multiple tokens.

@ronaldoussoren, would you mind filing a feature request?

As a workaround in the meantime, you could create a separate pyobjc-deployer user that has the “Maintainer” role for all these projects, and create an account-wide token for that user instead.

1 Like

Sure. I’ll file a feature request later this week.

A blog post about API tokens, with screenshots, is up at blog.python.org & mirrored to the PSF blog & tweeted. Please spread the word!

Heads-up for people trying the beta of uploading with API tokens:

  • The Travis problem in #6287 means we’ll probably be changing the token prefix and the username you use for uploads. We may also end up changing other stuff. It’s a beta!
  • Here’s where I’m tracking what we need to fix before I declare the beta done.

Summary: In the last two weeks, we’ve deployed a beta of the API upload key feature, and made more progress on accessibility and multifactor auth.

2FA: So, first off, thanks for helping spread the word about 2FA. The percentage of logins to PyPI that use 2-factor auth:

  • May overall: 2.25%
  • June overall: 3.08%
  • July overall: 4.54%
  • August so far: 11.61%

We aren’t out of the WebAuthn support beta yet because we’re still fixing stuff, like UI, instruction text, and email verification guidance, and the beta badge.

API tokens: We launched the beta of scoped upload API tokens and started getting the word out to get testing, and started fixing things like the syntax of the username and token prefix used to upload, and using normalized project names. On regular PyPI, 106 users have created a total of 123 tokens since launch. 55 tokens are scoped to a single project, while 68 are scoped with the same upload privileges as the creating user (permissions for all of the user’s projects). That’s very helpful as we shake the bugs out – thank you!

Audit log: We made initial decisions on our audit log architectural design and @woodruffw has a work-in-progress pull request that we’re reviewing now (doesn’t yet have UI/UX, or complete tests for results of event recording calls). I believe we’re on track to deploy a beta of this feature this month.

Accessibility: And we kept making accessibility improvements: removing directional copy, fixing a11y in project management tables, defining type on buttons, updating markup on the classifiers page, fixing a11y on the error/404 page, and so on. Pretty soon I’ll be coordinating with @nlhkabu to get some user testers, especially people who use screenreaders, to find the next round of issues.

Scope: We’re trying to keep things scoped pretty tight, so we confirmed that some nice-to-have features are out of scope for this grant.

Thanks: thanks to @alex_Gaynor, sayanarijit, serhii73, @hugovk, @pganssle, Dustin, Ernest, Donald, @webknjaz, graingert, and minho42 who contributed code or reviews recently, and thanks to @nedbat, jheld, Carreau, ZaxR, @ronaldoussoren, glyph, johnsyweb, & bryevdv for opening bugs!

How you can help:

  • Please keep an eye on your email if you have been testing API tokens. As we change token format, if you have a token that we’re invalidating, we’ll notify you.
  • If you or someone you know has accessibility needs for websites (vision, motor control, or otherwise), and might have 30 minutes for Nicole to walk through a user test with them, please introduce them to Nicole.

More in two weeks! Ongoing notes on the wiki.

1 Like