Friday, January 17, 2020

Start using 2FA and API tokens on PyPI

To increase the security of PyPI downloads, we have added two-factor authentication (2FA) as a login security option, and API tokens for uploading packages. This is thanks to a grant from the Open Technology Fund, coordinated by the Packaging Working Group of the Python Software Foundation.

If you maintain or own a project on the Python Package Index, you should start using these features. Click "help" on PyPI for instructions. (These features are also available on Test PyPI.)

Details and plans for the future:

2FA:

Two-factor authentication (2FA) makes your account more secure by requiring two things in order to log in: something you know and something you own.

In PyPI's case, "something you know" is your username and password, while "something you own" can be an application to generate a temporary code, or a security device (most commonly a USB key).

Why? This will help improve the security of your PyPI user accounts, and thus reduce the risk of vandals, spammers, and thieves gaining account access. Protecting login via the website safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers.

PyPI's implementation of the WebAuthn standard and the TOTP standard mean you can use any TOTP authentication application and/or any 2FA device that meets the FIDO standard. (We launched WebAuthn support last year; this week it comes out of beta.)

Go to your account settings to add a second factor.
Add a second factor in your account settings.

Create a key name in the PyPI interface.
2FA only affects logging in via a web browser, and not (yet) package uploads.

API tokens:

In your Account Settings,
select "Add API token".
API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI. (We launched API token support last year; this week it comes out of beta.)

PyPI interface for adding an
API token for package upload.


Immediately after creating the API token,
PyPI gives the user one chance to copy it.
Why? These API tokens can only be used to upload packages to PyPI, and not to log in more generally. This makes it safer to automate package upload and store the credential in the cloud, since a thief who copies the token won't also gain the ability to delete the project, delete old releases, or add or remove collaborators. And, since the token is a long character string (with 32 bytes of entropy and a service identifier) that PyPI has securely generated on the server side, we vastly reduce the potential for credential reuse on other sites and for a bad actor to guess the token.

You can create a token for an entire PyPI user account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. That way, if a token is compromised, you can just revoke and recreate that token, instead of having to change your password in lots of automated processes.
PyPI token management interface

Go to your account settings to add an API token.  

Future:

In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change. When we do, we'll announce it.

Thanks:

Thanks to the Open Technology Fund for funding this work.

More donor-funded work is in progress on pip and PyPI, via the PSF's Packaging Working Group. Please sign up for the PyPI Announcement Mailing List for future updates.

Tuesday, January 07, 2020

Python Software Foundation Fellow Members for Q4 2019

We are happy to announce our newest PSF Fellow Members for Q4!

Q4 2019


Humphrey Butau


Ngazetungue Muheue

Twitter

Pablo Galindo Salgado

GitHub, Twitter

Patrick Arminio

TwitterPersonal website


Congratulations! Thank you for your continued contributions. We have added you to our Fellow roster online.

The above members have contributed to the Python ecosystem by teaching Python, contributing to and maintaining CPython, organizing Python events and conferences, starting Python communities in their home countries, and overall being great mentors in our community. Each of them continues to help make Python more accessible around the world. To learn more about the new Fellow members, check out their links above.

Let's continue to recognize Pythonistas all over the world for their impact on our community. The criteria for Fellow members is available online: https://www.python.org/psf/fellows/. If you would like to nominate someone to be a PSF Fellow, please send a description of their Python accomplishments and their email address to psf-fellow at python.org. We are accepting nominations for quarter 1 through February 20, 2020.

Help Wanted!


The Fellow Work Group is looking for more members from all around the world! If you are a PSF Fellow and would like to help review nominations, please email us at psf-fellow at python.org. More information is available at: https://www.python.org/psf/fellows/.