top | item 38787040

(no title)

jurassic | 2 years ago

While I'm not against security and 2FA in general, making PyPI 2FA mandatory ahead of any kind of org support is a major pain for big projects with more than one maintainer. This week I was forced to link my company's pypi account to a personal device to unblock our latest release and now none of the dozen other maintainers I work with can get access. Things will get spicy if someone in my position were to die, leave the company on bad terms, etc and a big project can no longer be managed.

PyPI announced orgs back in April, but it seems they still haven't figured out the details on pricing, etc. No telling when those will roll out, but I sure hope it's soon. I'm cynical, but the sequencing of work here very much feels like somebody at Google (or wherever) wanted to push a big open source security project to advance their personal promo case rather than thinking through the needs of serious project maintainers.

discuss

djha-skin|2 years ago

You were not forced to do that because TOTP is manageable via password manager.

TOTP and yubikey are excellent technologies that way. They allow two-factor authentication without breaking privacy.

Everyone within the sound of my voice: get a password manager. It sounds like a hassle but it makes your life infinitely better. It allows you to keep your life private and more secure than it was while providing more convenience than you had before.

I recommend KeepassXC. Open source, audited, fully featured, and can be paired with one of several different kinds of syncing technologies depending on your risk appetite.

eesmith|2 years ago

I think it's odd that PyPI doesn't list any desktop programs, like KeepassXC, at https://pypi.org/help/#twofa , only mobile ones. That makes it seem like 2FA is mobile-only.

I expect some people don't want to mix work accounts on their personal phone ("keep your life private"), and because smart phones are still not yet universal, even among developers.

prox|2 years ago

So KeepassXC can do TOTP like authy? Cause I would love to switch from that app if I can.

sakjur|2 years ago

You can have centralized TOTP too, I believe e.g. Vault or 1password can do that?

jurassic|2 years ago

Good to know, I wasn't aware. But if you're storing passwords, TOTP seed, and recovery codes all in the same shared password vault, it's not really multi-factor anymore. It's security theatre.

notatoad|2 years ago

you can also just screenshot the QR code they give you to register your TOTP authenticator, and share it with the other maintainers.

sites implementing 2fa don't make it easy to share the keys (because they shouldn't, that's bad!) but a shared totp key is better than no key.

heavyset_go|2 years ago

You can do the same with passkeys with something like Vaultwarden/Bitwarden, as well.

toyg|2 years ago

I suspect it has more to do with the legal backchatter on supply-chain attacks in opensource. The likes of GitHub and GitLab already have a bunch of features they can point at, should a lawyer come knocking; PyPi doesn't have anything.