Summary: API tokens and all our 2FA methods are out of beta!
The auth security features we worked on, funded by the Open Tech Fund – two-factor authentication methods and API tokens for upload – are now out of beta on PyPI!
If you maintain or own a project on the Python Package Index, you should start using these features. Click “help” on PyPI for instructions (2FA, tokens).
(These features are also available on Test PyPI.)
Future: In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change.
Help us out: We’d love your help refining and implementing related features & fixes:
- 2FA: “trust this device for 30 days” option
- implement 2FA recovery codes
- log failed authentication attempts for audit trail?
- Expose ‘user’ scoped API tokens in project security history?
- “login” or dry-run validity check for tokens (and “API to verify upload ability without actually uploading” #5865)
- Project-scoped API tokens should be accessible from project settings
- Fill API token form when user arrives from manage project page
Thanks to the Open Technology Fund for funding this work. And thanks to all the folks I’ve thanked earlier in this thread. 
And more donor-funded work is in progress on pip and PyPI; other threads will have progress reports & details.