unpopular thought perhaps, but with this many companies/teams <i>mandating</i> MFA (especially to technical people, who should already know how to create secure passwords, not use them on more than one site, not spread them around, etc):<p>The pressure of all of these MFA inputs, especially for products that expire them even on a trusted device/browser, is eventually going to push people into the arms of convenient "password managers".<p>This will effectively nullify the 'something you have' in MFA because it'll all be available on your one single device again.<p>Even worse, it'll present <i>multiple</i> high-value targets now, from the centralized server/sync side (ie lastpass) down to individual devices.<p>Put another way: if you're storing the passwords in the same place as the MFA secrets, then it's not actually MFA anymore.<p>It's not that PyPI is wrong to do this, it's that the weight of <i>everyone</i> mandating MFA will eventually either push people away or force them to work around draconian or onerous security requirements.
PyPi let an old employer take over my account and hasn't been responding for nearly two years.<p>They told me they'd investigate but have been ghosting me since. I sent several requests to have my account restored but they just won't answer.
This has been a long time coming, and will keep PyPI closely aligned with improving practices on the source host side as well[1].<p>[1]: <a href="https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/" rel="nofollow noreferrer">https://github.blog/2023-03-09-raising-the-bar-for-software-...</a>
Hey Mike, can you support renaming secure authenticators (Two factor methods)? Github is a great example wrt UX around this specific experience: <a href="https://github.blog/wp-content/uploads/2023/07/key_list.png?w=768" rel="nofollow noreferrer">https://github.blog/wp-content/uploads/2023/07/key_list.png?...</a> (from <a href="https://github.blog/2023-07-12-introducing-passwordless-authentication-on-github-com/" rel="nofollow noreferrer">https://github.blog/2023-07-12-introducing-passwordless-auth...</a>).<p>Appreciate the efforts to secure the software supply chain!
Any chance of signed builds returning? It's bizarre to me that we would move _away_ from signed builds.<p>2FA means we can trust the person that logged in - but we still don't trust that PyPI is being honest (no offense).
I hate these 2FA mandates. I don't use PyPI, but I do use GitHub, which has also announced a 2FA mandate.<p>I use my GitHub account to make bug reports, small pull requests, and silly personal projects. It is not that important. I want to sacrifice security for convenience on it, and that should be my choice.<p>I also do not agree with the argument this secures the supply chain because:<p>1. It ignores supply-chain attacks from people who already have repository access.<p>2. Most big companies (ie. Google) are probably already using 2FA.<p>3. And if people are automatically pulling code from random people/groups without checking it... maybe that's what actually needs to be banned.
I'm personally annoyed by 2FA.<p>Most importantly, as a normal person, I'm more inclined to go through security hoops with internet banking and payments, and much less so for every single website that exists.
Will there be a way to determine is a package has all owners 2FA enrolled? Maybe even a public key that is linked to the account? It would be good to have an API queryable mechanism linking identity with signing.
Wonder if PyPI will ever get reproducible builds.<p><a href="https://reproducible-builds.org/" rel="nofollow noreferrer">https://reproducible-builds.org/</a>
I see the list of "management actions" does not explicitly include project or account deletion (after 2FA imposed), anyone know if those will be included?
Why is the 2fa rollout going at such a glacial pace ?
In July last year it was announced that the top 1% projects contributors had to use 2fa.
It it because of pushback from the developpers, or maybe because it is not as easy it it seems ?
I'm just curious, I am in now way involved in this.