2FA Required for PyPI
Two-factor Authentication is required for all users
It's January 1st, 2024, and PyPI now requires Two-factor authentication (2FA) for all users.
This post is a recognition of the hard work that went into making this a reality, and a thank you to all the users who have enabled 2FA on their accounts.
It is also a reminder to those who have not yet enabled 2FA, that you will need to do so before you can perform any management actions, or upload files to PyPI.
Why didn't I hear about this?
We take backwards compatibility very seriously, and try our best to preserve behaviours our wide community of users have come to expect.
We've been talking about this for a while, and have worked to make it easy to enable a form of 2FA - TOTP or WebAuthn (or both!). We've also tried to be very vocal about the upcoming change.
In July 2022, PyPI secured sponsorship for a giveaway of 4,000 hardware keys for eligible maintainers of the top 1% of projects by downloads to enable 2FA on their PyPI accounts. Thanks, Google Open Source Security Team!
We wrote posts on the PyPI Blog (this!) to announce the change, and some of them were picked up by other technology news sites.
Here's some of the posts:
- Securing PyPI accounts via Two-Factor Authentication
- 2FA Enforcement for upload.pypi.org
- 2FA Enforcement for New User Registrations
- 2FA Enforcement for TestPyPI
- 2FA Requirement for PyPI begins 2024-01-01
We followed most posts with links on social media posts, other blogs, and news aggregators.
In August 2023, we developed an email campaign to notify users post-upload to PyPI, who had not yet enabled 2FA on their accounts.
How did we get here?
(Apologies if there's inaccuracies, feel free to send a pull request with any corrections!)
In 2019, the PSF received a grant from the Open Technology Fund to improve the security of PyPI.
Here's some posts from the era that predates the PyPI Blog:
- Commencing Security, Accessibility, and Internationalization Improvements to PyPI for 2019
- Use two-factor auth to improve your PyPI account's security
- PyPI Now Supports Two-Factor Login via WebAuthn
- PyPI now supports uploading via API token
- Start using 2FA and API tokens on PyPI
We'll be continuing to improve the security of PyPI, and we're always looking for help.
Thank you to all the users who have enabled 2FA on their accounts, you are helping to make PyPI more secure for everyone.
Thank you to all the contributors to PyPI, and the maintainers of the projects that make up PyPI. Your work is appreciated. ❤️