You won't lock yourself out. I just did a quick test and if you reset your password (via an email link) then you are automatically logged in. At this point you can even disable 2FA. So 2FA is protecting against logging in with a stolen password, but it's not protecting against logging in if you have access to the account's email account.
Whether or not that's the intended behaviour is another question...
>Currently, only TOTP is supported as a 2FA method. Also, 2FA only affects login via the website which safeguards against malicious changes to project ownership, deletion of old releases, and account take overs. Package uploads will continue to work without 2FA codes being provided.
>But we're not done! We're currently working on WebAuthn-based multi-factor authentication, which will let you use, for instance, Yubikeys for your second factor. Then we'll add API keys for package upload, then an advanced audit trail of sensitive user actions. More details are in our progress reports.
They seem to be aware of this shortcoming, and are addressing it.
Doesn't "usually" mean "there are already other options"? Otherwise, why not use "always"?
Is it really the case that TOTP applications only exist for smart phones? And not for desktop computers?
EDIT: I see that crankylinuxuser in a parallel thread already pointed to a couple of desktop solutions, one for MS Windows and another for Linux-based OSes.
Starting the authy desktop client opens a window where a phone number must be entered. Are there TOTP implementations for desktops that don't require a phone number?
KeePassXC[0] can store the secrets in its password database file, no account or cloud provider required. There's also yubioath[1] which stores it on a YubiKey (requiring special hardware, but making it much harder to retrieve the TOTP secret than from either phones or desktop software).
> As far as I could tell, the only way to provision an application was through a mobile phone app.
Any application that knows how to ingest an otpauth:// URL and generate TOTP tokens will work. I know that 1Password on macOS does, and I suspect that other desktop password managers also have TOTP support.
> I don't have anything that can scan a QR code.
If you open the HTML for the TOTP provisioning page, you'll find the raw otpauth:// URL in an "aria-label" attribute on the QR image. That's obviously not very user friendly, and will be improved upon.
Thanks! Perhaps people like me (never used TOTP outside of my bank's security token; don't have a smart phone; no experience with password managers) are common enough to mention this in the FAQ?
As it is, even though 1Password is only $3/month, the handful of projects I have on PyPI aren't revenue generating and I only make about one update a year, so I'm unlikely to switch to that just to manage PyPI entries.
Which means figuring out what the no cost solutions are, which is another barrier to entry that might be lowered by mentioning it in the FAQ.
> Thanks! Perhaps people like me (never used TOTP outside of my bank's security token; don't have a smart phone; no experience with password managers) are common enough to mention this in the FAQ?
Yes, I think so! I've forwarded this thread along to others working on PyPI as part of the OTF grant, and we'll be figuring out how best to explain using TOTP without being too mobile-centric.
I'm very sympathetic to not wanting to pay a service for the privilege of logging into your own account. 1Password is what came to mind because I happen to use it, but GNOME provides a TOTP client as well[1]. There are also a few others, based on a cursory search.
We also have support for WebAuthn in the pipeline, which will allow you to use a physical security key (or a physical authentication method like a fingerprint, if your device has support for that). That still does require a 1-time purchase for many users (the aforementioned security key), but the proliferation of built-in methods and cheap keys should help mitigate that somewhat.
The desktop app will let you scan QR codes that appear on screen.
When 2FA fields show up, the password autofill shortcut (cmd + \ is the default I think) will automatically populate them.
It’s a CLI tool that generates TOTP codes (and puts them directly in the pasteboard). You can “scan” the QR code by taking a screenshot of it, and when generating codes, it’ll ask you for your password (or fingerprint, if you have a mac with TouchID)
>I don't have a smart phone (haven't felt like I needed one).
super off-topic but my phone and desktop both only have 4 gb of RAM. the phone seems to say "all right boys and girls we got 4 GB here let's try and make it work. Let's dust off these O() notations etc". meanwhile my mehsktop is like come on you're not really going to open another tab" and rolls it eyes at me, makes me feel like I should come back when I have 4 Tb of RAM and a 64-core monster. Right now I have 8 tabs open on my desktop and I feel like I need to be closing some. seeing the ;) sign instead of the tab count on mobile is no problem. (it does that over 100 tabs).
you might want to give mobile a try just because it's like not being treated like a second-class citizen anymore. (since your browser's devs don't have 64 GB on theirs either.) if you get a data plan the messenger apps (facebook messenger, whatsapp and viber) are very convenient as well.
I don't use any other apps daily except maps and evernote.
You have felt the need for more desktop RAM but haven't done so.
I haven't felt the need for a smart phone, and haven't done so.
These are different, yes?
FWIW, I've felt the need to not have a smart phone. My feature phone is small; I can drop it in just about any pocket. It's cheap; I've had four phones which ended up in the laundry (see 'just about any pocket'), and destroyed phones other ways, and $20/phone means I don't worry about it. And I love having a 1+ week charge time.
I feel sorry for you with only 4GB of RAM. Ive not had that little in either a personal PC or work PC in over 10 years. At work, I have 16 GB and at home 64 GB. Work, the problem is the size of the data sets I'm trying to work with. Pull all exposure factors from a vendor for a 2 year period? Yeah, I'm going to run out of memory. 10 years of daily, over 500 data points per date into a pandas DataFrame just doesn't work.
At home, a lot of the 64 GB goes towards running VMs amd actively disabling paging (don't want to burn out my SSD via heavy paging).
At previous job, also had 16 GB of RAM, could run out of memory by doing a large build under WSL. Apparently McAfee has any issue with WSL that leaks memory like a drive in manner that can only be reclaimed via a restart of the entire system.
This is the most convenient way, yes. In the mean time, I'm looking for a Linux utility that can scan QR codes, because I've come across this problem a lot.
Actually, the upload API doesn't seem to be protected -- I just uploaded a package to test.pypi.org with twine using nothing but my old pypirc despite having enabled 2FA. So I suppose this is of limited value, at least at the moment.
Implementor here. Yep, this is correct: 2FA (TOTP currently, WebAuthn is in the pipeline[1]) will protect sign-ons in the PyPI web interface, and we (Trail of Bits) will be adding support for scoped API keys for uploads.
Edit: There's a ticket already opened for that
https://github.com/pypa/warehouse/issues/5800