PyPI Requires 2FA for New User Registrations

unpopular thought perhaps, but with this many companies&#x2F;teams <i>mandating</i> MFA (especially to technical people, who should already know how to create secure passwords, not use them on more than one site, not spread them around, etc):<p>The pressure of all of these MFA inputs, especially for products that expire them even on a trusted device&#x2F;browser, is eventually going to push people into the arms of convenient &quot;password managers&quot;.<p>This will effectively nullify the &#x27;something you have&#x27; in MFA because it&#x27;ll all be available on your one single device again.<p>Even worse, it&#x27;ll present <i>multiple</i> high-value targets now, from the centralized server&#x2F;sync side (ie lastpass) down to individual devices.<p>Put another way: if you&#x27;re storing the passwords in the same place as the MFA secrets, then it&#x27;s not actually MFA anymore.<p>It&#x27;s not that PyPI is wrong to do this, it&#x27;s that the weight of <i>everyone</i> mandating MFA will eventually either push people away or force them to work around draconian or onerous security requirements.

PyPi let an old employer take over my account and hasn&#x27;t been responding for nearly two years.<p>They told me they&#x27;d investigate but have been ghosting me since. I sent several requests to have my account restored but they just won&#x27;t answer.

This has been a long time coming, and will keep PyPI closely aligned with improving practices on the source host side as well[1].<p>[1]: <a href="https:&#x2F;&#x2F;github.blog&#x2F;2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;github.blog&#x2F;2023-03-09-raising-the-bar-for-software-...</a>

Hey Mike, can you support renaming secure authenticators (Two factor methods)? Github is a great example wrt UX around this specific experience: <a href="https:&#x2F;&#x2F;github.blog&#x2F;wp-content&#x2F;uploads&#x2F;2023&#x2F;07&#x2F;key_list.png?w=768" rel="nofollow noreferrer">https:&#x2F;&#x2F;github.blog&#x2F;wp-content&#x2F;uploads&#x2F;2023&#x2F;07&#x2F;key_list.png?...</a> (from <a href="https:&#x2F;&#x2F;github.blog&#x2F;2023-07-12-introducing-passwordless-authentication-on-github-com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;github.blog&#x2F;2023-07-12-introducing-passwordless-auth...</a>).<p>Appreciate the efforts to secure the software supply chain!

Any chance of signed builds returning? It&#x27;s bizarre to me that we would move _away_ from signed builds.<p>2FA means we can trust the person that logged in - but we still don&#x27;t trust that PyPI is being honest (no offense).

I hate these 2FA mandates. I don&#x27;t use PyPI, but I do use GitHub, which has also announced a 2FA mandate.<p>I use my GitHub account to make bug reports, small pull requests, and silly personal projects. It is not that important. I want to sacrifice security for convenience on it, and that should be my choice.<p>I also do not agree with the argument this secures the supply chain because:<p>1. It ignores supply-chain attacks from people who already have repository access.<p>2. Most big companies (ie. Google) are probably already using 2FA.<p>3. And if people are automatically pulling code from random people&#x2F;groups without checking it... maybe that&#x27;s what actually needs to be banned.

I&#x27;m personally annoyed by 2FA.<p>Most importantly, as a normal person, I&#x27;m more inclined to go through security hoops with internet banking and payments, and much less so for every single website that exists.

Awesome stuff, I really hope others follow suit.

Will there be a way to determine is a package has all owners 2FA enrolled? Maybe even a public key that is linked to the account? It would be good to have an API queryable mechanism linking identity with signing.

Wonder if PyPI will ever get reproducible builds.<p><a href="https:&#x2F;&#x2F;reproducible-builds.org&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;reproducible-builds.org&#x2F;</a>

I see the list of &quot;management actions&quot; does not explicitly include project or account deletion (after 2FA imposed), anyone know if those will be included?

Why is the 2fa rollout going at such a glacial pace ? In July last year it was announced that the top 1% projects contributors had to use 2fa. It it because of pushback from the developpers, or maybe because it is not as easy it it seems ? I&#x27;m just curious, I am in now way involved in this.

Good

Hopefully they support Passkeys sometime soon.