Start using 2FA and API tokens on PyPI
January 17, 2020
If you maintain or own a project on the Python Package Index, you should start using these features. Click "help" on PyPI for instructions. (These features are also available on Test PyPI.)
Details and plans for the future:
Two-factor authentication (2FA) makes your account more secure by requiring two things in order to log in: something you know and something you own.
In PyPI's case, "something you know" is your username and password, while "something you own" can be an application to generate a temporary code, or a security device (most commonly a USB key).
Why? This will help improve the security of your PyPI user accounts, and thus reduce the risk of vandals, spammers, and thieves gaining account access. Protecting login via the website safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers.
PyPI's implementation of the WebAuthn standard and the TOTP standard mean you can use any TOTP authentication application and/or any 2FA device that meets the FIDO standard. (We launched WebAuthn support last year; this week it comes out of beta.)
Go to your account settings to add a second factor.
|Add a second factor in your account settings.|
|Create a key name in the PyPI interface.|
|In your Account Settings,|
select "Add API token".
|PyPI interface for adding an|
API token for package upload.
|Immediately after creating the API token,|
PyPI gives the user one chance to copy it.
You can create a token for an entire PyPI user account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. That way, if a token is compromised, you can just revoke and recreate that token, instead of having to change your password in lots of automated processes.
|PyPI token management interface|
Go to your account settings to add an API token.
In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change. When we do, we'll announce it.
Thanks to the Open Technology Fund for funding this work.
More donor-funded work is in progress on pip and PyPI, via the PSF's Packaging Working Group. Please sign up for the PyPI Announcement Mailing List for future updates.