PyPI announces 2FA for securing Python package downloads

0
1199
2 min read

Yesterday, Python’s core development team announced that PyPI now offers two-factor authentication to increase the security of Python package downloads and thus reduce the risk of unauthorized account access. The team announced that the 2FA will be introduced as a login security option on the Python Package Index.

We encourage project maintainers and owners to log in and go to their Account Settings to add a second factor”, the team wrote on the official blog.

The blog also mentions that this project is a “grant from the Open Technology Fund; coordinated by the Packaging Working Group of the Python Software Foundation.”

PyPI currently supports a single 2FA method that generates code through a Time-based One-time Password (TOTP) application. After users set up a 2FA on their PyPI account, they must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, users will need to provide an application (usually a mobile phone app) in order to generate authentication codes.


Currently, only TOTP is supported as a 2FA method. Also, 2FA only affects login via the website, which safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without 2FA codes being provided.

Developers said that they are working on WebAuthn-based multi-factor authentication, which will allow the use of Yubikeys for your second factor, for example. They further plan to add API keys for package upload, along with an advanced audit trail of sensitive user actions.

A user on HackerNews answered a question, “Will I lock myself out of my account if I lose my phone?” by saying,  “You won’t lock yourself out. I just did a quick test and if you reset your password (via an email link) then you are automatically logged in. At this point you can even disable 2FA. So 2FA is protecting against logging in with a stolen password, but it’s not protecting against logging in if you have access to the account’s email account.

Whether or not that’s the intended behaviour is another question…”

To know more about the ongoing security measures taken, visit Python’s official blog post.

Read Next

Salesforce open sources ‘Lightning Web Components framework’

Time for data privacy: DuckDuckGo CEO Gabe Weinberg in an interview with Kara Swisher

Which Python framework is best for building RESTful APIs? Django or Flask?