PyPI security work: multifactor auth progress & help needed
Work has started on the Open Technology Fund-supported project to improve Warehouse security, accessibility, and internationalization. More details in today's progress report: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... best, Sumana Harihareswara Warehouse project manager Changeset Consulting
Is webauthn the multi-factor / 2FA spec to implement now? It's now approved; so while you experts are working on it it may be worth a look to just implement webauthn while we have funding for experts https://www.w3.org/TR/webauthn/ Discourse mentions FIDO. FIDO2 is webauthn, AFAIU. There are a number of implementations: https://pypi.org/search/?q=webauthn https://github.com/topics/webauthn On Friday, March 22, 2019, Sumana Harihareswara <sh@changeset.nyc> wrote:
Work has started on the Open Technology Fund-supported project to improve Warehouse security, accessibility, and internationalization. More details in today's progress report:
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress- help-needed/1042/2
best, Sumana Harihareswara Warehouse project manager Changeset Consulting -- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-leave@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@ python.org/message/3E64P4GNVFSG4JA42OITJUCYU5H3QLAZ/
Further progress, and requests for your opinions, in today's summary: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... Wes: thanks - I have linked to your suggestion and linked resources within https://github.com/pypa/warehouse/issues/996 but, good news, folks working on this task have already mentioned WebAuthn, so it is on the table. -- Sumana Harihareswara On Fri, Mar 22, 2019, at 10:37 PM, Wes Turner wrote:
Is webauthn the multi-factor / 2FA spec to implement now? It's now approved; so while you experts are working on it it may be worth a look to just implement webauthn while we have funding for experts
https://www.w3.org/TR/webauthn/
Discourse mentions FIDO. FIDO2 is webauthn, AFAIU.
There are a number of implementations:
https://pypi.org/search/?q=webauthn
https://github.com/topics/webauthn
On Friday, March 22, 2019, Sumana Harihareswara <sh@changeset.nyc> wrote:
Work has started on the Open Technology Fund-supported project to improve Warehouse security, accessibility, and internationalization. More details in today's progress report:
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he...
best, Sumana Harihareswara Warehouse project manager Changeset Consulting -- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-leave@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/3E64P...
Further progress in today's summary: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... Short version: Work continues on Milestone 1, Security Feature Development, and specifically on the Multi-Factor Authentication task. TOTP-based 2FA is about to roll out for everyone, and we’re working on WebAuthN (e.g., Yubikeys). -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
I've summarized the last couple weeks of progress on Discourse: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... Short version: TOTP-based 2-factor auth has rolled out as a login option for everyone on PyPI.org and Test PyPI, WebAuthn support (for Yubikeys and similar things) is coming this month and maybe as early as next week, and we're also going to parallelize work a bit and start accessibility auditing and improvements. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
I've summarized the last month of work on Discourse: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... Short version: we're fixing bugs found in the WebAuthn beta; we've made key design decisions for upload-scoped API keys and have started implementation; and we've started improving Warehouse's (already surprisingly good) accessibility. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
The last 2 fortnightly work summaries are on Discourse: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-he... Short version: We have deployed a beta version of scoped upload API tokens for PyPI, and made progress on improving 2FA and accessibility, and started the audit log feature. And we need your help to test the new API tokens feature. If you've uploaded packages to PyPI before, and https://blog.python.org/2019/07/pypi-now-supports-uploading-via-api.html makes sense to you, please get in touch with our UX researcher and designer, Nicole Harris, via https://calendly.com/nlhkabu/pypi-testing for a 30-minute structured conversation/user test. -- Sumana Harihareswara Warehouse/PyPI project manager Changeset Consulting https://changeset.nyc
participants (2)
-
Sumana Harihareswara
-
Wes Turner