Require MFA on PyPI?


We could start by blocking uploads with account passwords and user-scope token, and require either MFA login or a project scope token. This would stop people from putting their account password in their ~/.pypirc or GHA.

IMHO Twine and PyPI should deprecate password logins for uploads and only support token logins for uploads to PyPI.


This is what npmjs is doing as well; there are special-purpose tokens solely for uploads. Of course those can still be compromised, but it’s better than the current situation.

IIUC, this is something that we already want to do. There’s open issues on pypa/warehouse discussing this, and breaking it down into smaller more incremental changes:

There’s other stuff related to tokens that we’d might want to resolve at the same time: Issues · pypa/warehouse · GitHub

I guess requiring it across the site for everyone, is not something that has come up on those issues, so… I don’t know whether pushing everyone to have 2FA before being able to upload is considered a worthwhile idea (the main concern being how do we roll this out, rather than should we do this).


This is exactly my point though. API tokens, while scoped, are still
only single-factor authentication like passwords. So uploading will
not require multiple authentication factors, only the WebUI will?

To be clear, requiring interactive MFA for uploading releases would
be a disaster for automated release processes, so I’m simply trying
to make sure nobody’s actually proposing that. Thanks.


I’m certainly not! But I wouldn’t rule out (the availability of) significantly shorter timed upload tokens (e.g. 1-30 days) that require MFA to generate. That way a leaked token is far less damaging than a 12 month, all access one.

Perfect! These are what I was hoping to find, and apparently totally blanked on using “2FA” as a search term rather than MFA :frowning:

1 Like

These are more about giving maintainers the ability to require 2FA for their projects collaborators, not PyPI itself requiring some subset of projects to use 2FA, like npm is doing.

I also don’t think the latter is something that we’re currently able to do: not for some technical reason, but because PyPI does not currently have a large support staff like npm/GitHub/Microsoft does. Account recovery requests due to lost 2FA are already a huge drain on staff/volunteer resources due to how time-consuming they are and their sensitive nature. A 2FA mandate at this time, without having support staff, would likely eventually result in an overwhelming backlog of requests.


But time-scoping them like that will still break workflows if your project isn’t that active. If I set up automated releases, but I only do a release a couple of times a year, then a month-long expiry on a token will kill that workflow.

I do agree with the sentiment of stopping accepting user passwords and account-wide tokens for uploads.

The workflow may be automated, but surely kicking it off is not? The first step of starting an otherwise-automated process could be getting a new token.

I agree with Brett. Time-scoping prevents some abuse, but it wouldn’t prevent immediate abuse of a token. If somebody gets hold of the project token for urllib3, then that person can do a lot of harm in a very short time.

Instead of time-scoping I suggest an optional two-step release process. In the first step automation uses a project-scoped token to create a new staging release and upload artifacts. In the second a human needs to log-in with MFA and press the release button. The workflow allows users to automate all the annoying bits and still require MFA for the actual release.


In the case of projects I work on, where everything is driven from
code review and continuous integration, we’d likely implement a job
which confirmed the token was still valid immediately prior to
attempting to use it, in order to block release requests from
merging and triggering attempts to upload new artifacts to PyPI
until $HUMAN does the thing with its fingers to 2FA generate a new
token and replace the old one in job definitions. Is there a
mechanism to test a token or otherwise check its validity?


Instead of time-scoping I suggest an optional two-step release
process. In the first step automation uses a project-scoped token
to create a new staging release and upload artifacts. In the
second a human needs to log-in with MFA and press the release
button. The workflow allows users to automate all the annoying
bits and still require MFA for the actual release.

That sounds like a great option, but definitely not something I’d
want to see required for every project on PyPI. I work in a
community which has volunteer release managers approving dozens (and
sometimes hundreds) of release requests a week on demand. Requiring
them to all have access to PyPI accounts and click buttons in a
browser would be a step backwards.

I’m with you and just put the optional in “optional two-stage process” in bold letters. :slight_smile:

It’s definitely within the realm of possibility.

If your package is wrapping something else off and you automate releases based on that upstream project doing releases, you could the whole process be automated and not have to touch a thing.

You could do a release automatically after every merged PR.

There’s plenty of scenarios where releases do not necessarily require a manual trigger where you’re going to want to go to PyPI and generate a new token every time.

Out of scope for this discussion, but a better solution would be an app authentication, like an OAuth flow. Long term automation shouldn’t really be authenticated with static passwords/tokens

This is exactly what Hypothesis does:

This is all thanks to our continuous release process. We’ve completely automated the process of releasing, so every pull request that changes code gets a new release, without any human input.

:grinning_face_with_smiling_eyes: Hypothesis also has a weekly automated PR, and “auto-merge if CI passes” is an obvious extension. I’d highly recommend both auto-releases and auto-weekly-maintainence to anyone, they’re lovely workflows.

Personally I’d like to keep using long-lived and non-interactive tokens, but would be happy to adopt other restrictions like “only allowed to publish new package versions with a later version number” to exclude attacks which add new wheels, or .post1 versions, or 1.9999 to get anyone who has pinned to pkg < 2.

More broadly, it sounds like we have a couple of good ideas that are largely blocked on (funding for) implementation in Warehouse. In particular, I don’t see much point discussing whether we should require MFA when projects can’t yet opt-in to enforcement!

I do strongly support blocking uploads from passwords or user-scope tokens, especially but not only for users with MFA enabled. Valuable even as an opt-in.

@pradyunsg - can I suggest adding MFA-and-token-related enhancements to the fundables page? They do seem to meet the criteria, and e.g. the OpenSSF might be interested.


That sounds perfect to me. Ideally I would like a UI where I can see what files are uploaded and their checksums and I can download them for sanity checking before signing off.

I stopped just short of enabling automated uploads for SymPy releases because I didn’t quite figure out a good way to control access for which contributors would be able to trigger the upload process from GHA. When I considered this I was worried about accidental triggers as well as malicious ones. Controlling access at PyPI rather than GHA is much simpler to audit because the number of people with PyPI access is much smaller. I would also be happier working on the release script itself if I knew that the final publish step could not possibly happen automatically (debugging a script that I definitely don’t want to fully execute makes me a bit nervous).

I agree that this should be optional but it’s definitely an option I would choose.


And… now, we seem to be discussing Draft release feature on main archive to allow testing a release before it goes live · Issue #726 · pypa/warehouse · GitHub :slight_smile:

Yep, that’s a good idea! I’m not on the PSF’s Packaging-WG (who maintain that repository), though I’m sure a PR would be welcome.

What about packages that are uploaded with a gpg signature?

Wouldn’t validating the signature provide more security than MFA?
Isn’t MFA is really a proxy for the security of the package artifact.

This would also require pip to download and make validation of signatures easier/automatic but it seems to provide better supply chain


The PyPI maintainers have long expressed a dislike for OpenPGP as a
means of establishing provenance or attestation for packages. The
accepted plan to solve it is instead integration of TUF (The Update
Framework) per PEP 458:

Authentication of users to the platform serves a separate purpose;
it can be used not only to upload new packages, but also to yank or
hide existing ones, or to delegate access to other accounts. While I
agree that some cryptographic attestation is desirable, it should be
in addition to strong authentication of accounts, not as a