I've been using the 2FA via third party app for PyPI login. I just have 1password generate the code for me automatically based on the barcode & don't use a hardware key or phone. Maybe just reduces the chance of compromise a little bit. On Thu, 27 Jun 2019 at 16:26, Charles R Harris <charlesr.harris@gmail.com> wrote:

Forwarding a message from PyPI. I looked at the two factor login a while ago and decided it wasn't for me, but others might be interested.

---------- Forwarded message --------- From: Sumana Harihareswara <sh@changeset.nyc> Date: Thu, Jun 27, 2019 at 4:11 PM Subject: 2-factor auth on PyPI & NumPy projects To: Charles R Harris <charlesr.harris@gmail.com>

Dear Mr. Harris:

Hi! I found you via the NumPy discussion mailing list, where I saw you are part of the release team.

I'm the project manager for PyPI. Right now we're beta testing a new security feature on PyPI:

https://pyfound.blogspot.com/2019/06/pypi-now-supports-two-factor-login-via.... 2-factor auth for website login with WebAuthn (hardware devices like Yubikeys). And during this beta, we'd love more testing from package maintainers who use a variety of operating systems, browsers, and browser plugins, including on mobile.

There's more info at https://wiki.python.org/psf/WarehousePackageMaintainerTesting .

And within the next few months we'll be adding support for API keys for uploading releases to PyPI https://github.com/pypa/warehouse/issues/994 , which should make release automation easier.

Could you possibly pass this information on to the NumPy developers' list or another relevant group?

Thanks, Sumana -- Sumana Harihareswara PyPI project manager Changeset Consulting https://changeset.nyc _______________________________________________ SciPy-Dev mailing list SciPy-Dev@python.org https://mail.python.org/mailman/listinfo/scipy-dev