Description
Account compromise of the owner of a popular package on PyPI is something that would have pretty dire consequences. 2FA/MFA would be a big step to helping avoid this.
This would need to be implemented in both:
- Website login
- API used for package upload/register by setuptools/pip/...
The 1st of these is presumably the easiest, and I believe will still add some value even if the 2nd isn't implemented initially - since it will still prevent things like package owner/maintainer role changes or modification of a user's listed GPG key or login details (presuming these cannot be made via the API).
Harder is what to do with the API, given it requires client changes and is also used by some in a non-interactive manner in automation. I see a few options:
- Add 2FA support to setuptools/pip, and just document that people uploading packages in automation will just need to disable 2FA for their whole account (or ideally create a separate account just for automation).
- Add support for API keys to both Warehouse and clients (Add support for API keys #994) and allow those to circumvent 2FA. For the people that really must upload packages non-interactively this would still protect against a few risks (credentials re-use, weak credentials), and the API keys could also be made package-specific or tied to a particular IP range. For everyone else, they would just not create an API key and still have full 2FA protection.
- All of the above.
In terms of implementation, there are a number of packages that support TOTP (used by Google Authenticator):
https://pypi.python.org/pypi/onetimepass/1.0.1
https://pypi.python.org/pypi/pyotp
https://pypi.python.org/pypi/oath
https://pypi.python.org/pypi/otpauth
(I've filed this against warehouse since I'm presuming this is beyond the scope of maintenance-only changes being made to the old PyPI codebase)