Friday, January 17, 2020

Start using 2FA and API tokens on PyPI

To increase the security of PyPI downloads, we have added two-factor authentication (2FA) as a login security option, and API tokens for uploading packages. This is thanks to a grant from the Open Technology Fund, coordinated by the Packaging Working Group of the Python Software Foundation.

If you maintain or own a project on the Python Package Index, you should start using these features. Click "help" on PyPI for instructions. (These features are also available on Test PyPI.)

Details and plans for the future:


Two-factor authentication (2FA) makes your account more secure by requiring two things in order to log in: something you know and something you own.

In PyPI's case, "something you know" is your username and password, while "something you own" can be an application to generate a temporary code, or a security device (most commonly a USB key).

Why? This will help improve the security of your PyPI user accounts, and thus reduce the risk of vandals, spammers, and thieves gaining account access. Protecting login via the website safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers.

PyPI's implementation of the WebAuthn standard and the TOTP standard mean you can use any TOTP authentication application and/or any 2FA device that meets the FIDO standard. (We launched WebAuthn support last year; this week it comes out of beta.)

Go to your account settings to add a second factor.
Add a second factor in your account settings.

Create a key name in the PyPI interface.
2FA only affects logging in via a web browser, and not (yet) package uploads.

API tokens:

In your Account Settings,
select "Add API token".
API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI. (We launched API token support last year; this week it comes out of beta.)

PyPI interface for adding an
API token for package upload.

Immediately after creating the API token,
PyPI gives the user one chance to copy it.
Why? These API tokens can only be used to upload packages to PyPI, and not to log in more generally. This makes it safer to automate package upload and store the credential in the cloud, since a thief who copies the token won't also gain the ability to delete the project, delete old releases, or add or remove collaborators. And, since the token is a long character string (with 32 bytes of entropy and a service identifier) that PyPI has securely generated on the server side, we vastly reduce the potential for credential reuse on other sites and for a bad actor to guess the token.

You can create a token for an entire PyPI user account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. That way, if a token is compromised, you can just revoke and recreate that token, instead of having to change your password in lots of automated processes.
PyPI token management interface

Go to your account settings to add an API token.  


In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change. When we do, we'll announce it.


Thanks to the Open Technology Fund for funding this work.

More donor-funded work is in progress on pip and PyPI, via the PSF's Packaging Working Group. Please sign up for the PyPI Announcement Mailing List for future updates.