Enforcement of 2FA for upload.pypi.org begins today
Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.
This change has been planned since 2FA was rolled out in 2019. In February of 2022 we began notifying users on upload that this change was coming.
If you have 2FA enabled and have been using only your password to upload, the following email is likely familiar to you:
Initially, we intended for this notice to live for six months before we began enforcement.
However, some valid concerns were raised regarding the use of user-scoped API tokens for new project creation.
With the introduction of Trusted Publishers PyPI now provides a way for users to publish new projects without provisioning a user-scoped token, and to continue publishing without ever provisioning a long lived API token whatsoever.
Given this, and our commitment to further rolling out 2FA across PyPI, we are now enforcing this policy.
Ee Durbin is the Director of Infrastructure at the Python Software Foundation. They have been contributing to keeping PyPI online, available, and secure since 2013.