I also think this would be terrific, is there a link to information about using biometrics in the mean time? I also procured some of the hardware keys, but I am thinking of using them for project owner/service accounts rather than my personal maintainer account. It would be much nicer to use Touch ID for that if possible.
Document best practices for securely managing projects
**What's the problem this feature will solve?** Many projects on PyPI are relie…d on by significant numbers of consumers. And supply chain integrity and the risks involved are very high profile these days - with little or no consideration being given to the fact that many developers are hobbyists, and have no real experience in securing high-value software. In particular, the average developer may not have sufficient knowledge or understanding of security practices and terminology in order to maintain their accounts securely. **Describe the solution you'd like** Documentation of good security practices for password management, use of 2FA and other tools such as biometrics, OS-level identity management, etc. This should be written for the end user, explicitly avoiding technical terms such as "webauthn" or "TOTP" in favour of descriptions that developers can relate to their working environment. In particular, care should be taken *not* to assume that users understand web application development, and may well be "scared off" certain technologies by reports in the media of hacking. Documentation should cover: * Best practices for password management, including recommendations of good tools to use. * How to set up and manage 2FA, including what options are available and recommended approaches. * OS and hardware supplied solutions such as biometrics. * How to set things up so that working on multiple devices, both PC and mobile, is straightforward. * Good practices for things like storing API keys, how to set up signing of releases, etc. The documentation should be *specific*, recommending actual tools and devices, and should not assume that the reader is necessarily interested in doing their own research. **Additional context** Users working on Python projects as a hobby are unlikely to want to set up a complex software management environment, so advice on how to set up a minimal system, using as much as possible OS-supplied or commonly available components, would be important. Ideally, the document should *not* be restricted to just securing PyPI credentials, but should cover the whole software development supply chain, including github, CI and automated builds, etc. It is important to have one definitive document that covers everything, and offers consistent[^1] and unified recommendations. If that means that this should not be hosted as part of the PyPI documentation, but somewhere else (as a blog post, or "best practices" document somewhere) and linked from the PyPI docs, then I'm fine with that. See the thread starting at https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/51 for further context. [^1]: A PyPI document recommending a tool that doesn't work with (say) github, is no use, as it simply leaves me having to manage multiple tools/devices with no good information on how to unify them.