We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them. To ensure that these maintainers can use strong 2FA methods, we're also distributing 4000 hardware security keys! pypi.org/security-key-giveaw…

Jul 8, 2022 · 5:10 PM UTC

16
241
57
772
Who's eligible? Project eligibility is based on downloads: any project in the top 1% of downloads over the prior 6 months is designated as critical (as well as PyPI's own dependencies). Today, we’ve notified maintainers of those projects via email. But that's not all!
3
6
6
46
We've also enabled a feature that will allow any project to opt-in to a 2FA requirement for its maintainers: this can be enabled in the settings for each individual project. This can be enabled/disabled for non-critical projects at any time.
2
3
34
Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users. You can track our progress on our dashboard: p.datadoghq.com/sb/7dc8b3250…
1
5
3
38
PS: If you're trying to redeem your code and getting 'Promo code doesn't apply', increase your quantity in the cart from 1 key to 2 keys! Our intention is for everyone to be able to have a secondary backup key in addition to their primary key.
2
7
4
40
Replying to @pypi
Hi, I received a key from pypi but the google store is rejecting it while purchasing a "Titan Security Key USB-C/NFC". Has the promo been enabled?
2
1
Replying to @pypi
Hi! How does that play out with token-based releases? Eg. releasing with __token__ via a CI pipeline. Is there a 2FA requirement applied in that case? Perhaps to the person who generated the API token?
3
1
6
Replying to @pypi
It seems like a bad precedent to exclude users who have previously enabled 2FA. - If they've disabled it since, why exclude them - If it's still on, you're kinda punishing them for caring Also, u2f is better than TOTP
5
Replying to @pypi
I mean using a token into upload is already a thing…
Replying to @pypi
And when someone throws a fit over 2FA and deletes a widely-used project, you should restore that project, take ownership of it, and see who in the community wants to maintain it without being a gigantic baby over improved security.
1
5
Why would anyone oppose MFA?
1