PyPI security work: multifactor auth progress & help needed

I also think this would be terrific, is there a link to information about using biometrics in the mean time? I also procured some of the hardware keys, but I am thinking of using them for project owner/service accounts rather than my personal maintainer account. It would be much nicer to use Touch ID for that if possible.

Your reaction agrees with the first part of my second paragraph :wink:. Some kind of documentation on what kind of 2FA tokens/apps can be used would be most welcome, especially when this would give guidance on which are more secure (e.g. “I can use face/fingerprint ID or TOTP, which should I pick?”).

BTW. I wouldn’t necessarily trust what I write about tokens, I’ve dived a little deeper than you but don’t consider myself to an expert here. I know just enough to be dangerous.


One of the more frustrating things about security discussions from an “end user” point of view is that the experts are prone to stressing how important it is to be secure, and how bad things can happen if you don’t take precautions (all of which is true, of course) but fail to explain what is a reasonable level of safe practice, leaving non-expert end users with nothing but an impression that the sky is falling.

@steve.dower’s comment above “it seems like a “who was least-recently hacked” decision” is exactly the problem here - all we ever hear is what’s bad, not what’s good. And the people in a position to offer informed advice are reluctant to do so, in case they get blamed whn things go wrong (as they inevitably do).

I don’t have time right now, but we can most likely add docs to Warehouse, can someone open an issue?

And yes, Warehouse “just” implements WebAuthN, it’s up to the browser to expose WebAuthN using whatever devices it has available, which can include biometric.

Generally speaking all of the methods supported by PyPI are secure enough, but TOTP (the thing with the 6 digit code you type in) isn’t phishing proof (e.g. someone can phish you and trick you into typing in the 6 digit number) so in an ideal world, everyone would use some form of WebAuthN (which on PyPI, is everything but TOTP).

@dstufft the Warehouse devs closed the issue asking that I open it against New issue now opened at Document best practices for securely managing projects · Issue #1148 · pypa/ · GitHub

If it gets closed there, I’ll give up. I do think it’s something that Python should document, and not just defer to others or expect developers to work it out for themselves, if we want to actively work on improving the reliability of the packaging ecosystem, but I appreciate that everyone’s time is limited, and it’s not a subject I want to make an issue out of.