Enforcement of 2FA for upload.pypi.org begins todayby: Ee Durbin · 2023-06-01
If you have 2FA enabled and have been using only your password to upload, the following email is likely familiar to you:
Initially, we intended for this notice to live for six months before we began enforcement.
However, some valid concerns were raised regarding the use of user-scoped API tokens for new project creation.
With the introduction of Trusted Publishers PyPI now provides a way for users to publish new projects without provisioning a user-scoped token, and to continue publishing without ever provisioning a long lived API token whatsoever.
Given this, and our commitment to further rolling out 2FA across PyPI, we are now enforcing this policy.
Ee Durbin is the Director of Infrastructure at the Python Software Foundation. They have been contributing to keeping PyPI online, available, and secure since 2013.