On Sep 4, 2013, at 11:53 AM, Antoine Pitrou <anto...@python.org> wrote:
> Donald Stufft <donald <at> stufft.io> writes: >> >> On Sep 4, 2013, at 11:28 AM, Nick Coghlan <ncoghlan <at> gmail.com> wrote: >> >>> The *best* answer is for a service to use 2-factor authentication >>> instead of relying entirely on passwords (the "physical object" Donald >>> mentioned earlier), but we don't have the resources to set that up, >>> and certainly can't require it for all PyPI users (since you either >>> need a physical token or a phone capable of running an app like Google >>> Authenticator). >> >> PyPI will gain 2 Factor Auth support in Warehouse. It's something I feel > strongly >> about and am going to make it work. It obviously won't be required for the >> reasons you listed it but if folks turn it on then it'll be required for > their account. >> Likely also projects will be able to require that their projects > themselves get >> modified only by an account with 2FA enabled as well. > > What would the second factor be in this case? > (besides the usual password-based or OpenID-based auth factor?) Something that implements the standard TOTP algorithm. There are a number of apps for phones that enable it as well as desktop apps. Possibly support for users to buy a yubikey or an RSA token as well. A lot of the details are really sketchy because I haven't actually done it yet but I know that A) It'll be supported and b) At a minimum TOTP will be supported. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
