Introduction of two -factor authentication in Pypi led to an incident with removal of a popular package

The developers of the Python Paket Pypi published Plan for the transition to a mandatory two-factor authentication for the category of critically important ones. The importance is determined by the number of downloads and the change will be applied to the accounts of accompanying and project owners associated with 1% of packages leading in the number of downloads for 6 months. Taking into account that the PYPI repostation currently includes more than 350 thousand packages, two -factor authentication will be applied for approximately 3,500 packages. To verify the account of the account on the list, special page is The exact date of inclusion of mandatory two -factor authentication has not yet been determined, it is assumed that this will happen in the coming months.

In contrast to the transition to two -factor authentication of Rubygems, NPM and GITHUB projects, the PYPI will introduce a more stringent check scheme that implies the use of a hardware token with access keys. The reason for the use of tokens and the Webauthn protocol is mentioned higher safety Compared to the generation of disposable passwords (TOTP).

Tokens can be obtained for free – Google acted as a sponsor of the initiative and allocated 4000 Titan keys for the project. Each accompanying person may apply for free receipt of two tokens with the USB-C or USB-A interface. The second token is sent as a backup in case of a breakdown or the main loss in order to minimize the risk of loss of access to the repository and save the developers from the need to pass through the difficult procedure for restoration of access.

Unfortunately, tokens can only be sent to Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, Great Britain and the USA. Accompanying tokens compatible with the FIDO U2F specification, for example, are suitable, for example, Yubikey and Thetis tokens. An alternative also provides for the possibility of using instead of authentication based on disposable passwords using applications supporting the TOTP protocol, for example, Authy, Google Authenticator and Freeotp.

Initiative was not treated without an incident . The author of the package atomicwrites , which has 6 million downloads per month and 38 million in 6 months, did not want to switch to two -factor authentication to exclude his package and to exclude his package From the list of critically important, I tried reset the boot meter. For reset, he first deleted the package, and then loaded a new version.
It was expected that such a manipulation would only drop the counter, but to the surprise of the developer

/Media reports.