Dear PyPI users:
To increase the security of PyPI downloads, we have added
two-factor authentication (2FA) as a login security option,
and API tokens for uploading packages.
If you maintain or own a project on the Python Package Index
[pypi.org], you should start using these features. Click "help"
on PyPI for instructions.
See details, explanations, and screenshots in our blog post today:
A condensed explanation follows.
Two-factor authentication makes your account more secure by
requiring two things in order to log in: something you know
and something you own.
In PyPI's case, "something you know" is your username and
password, while "something you own" can be an application
to generate a temporary code, or a security device (most
commonly a USB key). PyPI's implementation of the WebAuthn
standard means you can use any 2FA device that meets the
2FA only affects logging in via a web browser, and not
(yet) package uploads.
API tokens provide an alternative way (instead of username and
password) to authenticate when uploading packages to PyPI.
You can create a token for an entire PyPI account, in which
case, the token will work for all projects associated with
that account. Alternatively, you can limit a token's scope
to a specific project. That way, if a token is compromised,
you can just revoke and recreate that token, instead of
having to change your password in lots of automated processes.
For more details and instructions, click "help" on PyPI, or
go to: https://pypi.org/help/
These features are also available on Test PyPI.
In the future, PyPI will set and enforce a policy requiring
users with two-factor authentication enabled to use API tokens
to upload (rather than just their password, without a second
factor). We do not yet know when we will make this policy change;
when we decide on a timeline, we will announce the change on this list.
Thanks to the Open Technology Fund for funding this work.
More work is in progress on pip and PyPI -- see https://wiki.python.org/psf/PackagingWG .
Please forward to other PyPI users, especially package maintainers.
-Sumana Harihareswara on behalf of the PyPI team