Is webauthn the multi-factor / 2FA spec to implement now? It's now approved; so while you experts are working on it it may be worth a look to just implement webauthn while we have funding for experts

Discourse mentions FIDO. FIDO2 is webauthn, AFAIU.

There are a number of implementations:

On Friday, March 22, 2019, Sumana Harihareswara <> wrote:
Work has started on the Open Technology Fund-supported project to improve Warehouse security, accessibility, and internationalization. More details in today's progress report:

Sumana Harihareswara
Warehouse project manager
Changeset Consulting
Distutils-SIG mailing list --
To unsubscribe send an email to
Message archived at