[Distutils] new PyPI beta feature: U2F-compatible keys for 2FA

Tue, 18 Jun 2019 09:47:08 -0700

To quote the blog post https://pyfound.blogspot.com/2019/06/pypi-now-supports-two-factor-login-via.html : 


To further increase the security of Python package downloads, we're adding a 
new beta feature to the Python Package Index: WebAuthn support for U2F 
compatible hardware security keys as a two-factor authentication (2FA) login 
security method. This is thanks to a grant from the Open Technology Fund, 
coordinated by the Packaging Working Group of the Python Software Foundation.


...


Starting today, PyPI also supports (in beta) WebAuthn (U2F compatible) security 
keys for a second login factor. A security key (also known as a universal 
second factor, or U2F compatible key) is hardware device that communicates via 
USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. 
PyPI supports any FIDO U2F compatible key and follows the WebAuthn standard. 
Users who have set up this second factor will be prompted to use their key 
(usually by inserting it into a USB port and pressing a button) when logging 
in. (This feature requires JavaScript.)



We need your help testing this while it's in beta: 
https://wiki.python.org/psf/WarehousePackageMaintainerTesting Later this 
week I'll publicize it to some more communities, and then in maybe 10 
days, assuming we can quickly fix all the urgent bugs we find, we'll 
remove the "beta" badge.



During this testing period, if things go awry, there's a chance we will 
need to wipe tokens from users' accounts, so if you choose to try it, 
please be forewarned. That's why you have to have a PyPI-verified email 
address on your user account before trying the feature, to make 
potential account recovery smoother.



Thanks to the Open Technology Fund for funding this work. More progress 
reports at the Packaging Working Group's wiki page: 
https://wiki.python.org/psf/PackagingWG .



(cross-posted to 
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/24 
)

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/CASFCYQ345HEPRO42Z26NLY6P4UATE3W/














    











					Reply via email to