In order to enhance the security of the download Python package, has introduced two-factor authentication (2FA) in PyPI (Python package repository) as an option in the security log.
Starting today, PyPI.org and test.pypi.org are all users of the authentication 2FA. They encouraged the project maintainer and owner of the account and log in to add a second verification factors in account settings interface. This will help to improve the safety of their PyPI account, thereby reducing the risk of attackers, spammers and hackers obtain access to the account.
2FA PyPI currently supports only one authentication method: generates code (TOTP) based application time of one-time password. That is, after opening 2FA authentication on PyPI account, you must provide TOTP (as well as the user name and password) to log in.
Therefore, to use 2FA on PyPI, we need to configure the application (usually mobile applications) to generate an authentication code.
Further, before turning 2FA authentication is required to verify the primary e-mail address in the Test PyPI and / or PyPI account. Of course, also in the implementation of this action "Account Settings" .
Although the current 2FA authentication supports only TOTP, but the team said it is developing Python-based multi-factor verification of identity WebAuthn. The so-called multi-factor, for example - we will be able to use Yubikeys as the second factor. The team also plans to add an API key to the process of uploading the package, and add advanced audit trail for sensitive user actions. For more details , please see the progress report .