Actually, the upload API doesn't seem to be protected -- I just uploaded a packa... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		oefrha on May 30, 2019 \| parent \| context \| favorite \| on: PyPI now offers two-factor auth Actually, the upload API doesn't seem to be protected -- I just uploaded a package to test.pypi.org with twine using nothing but my old pypirc despite having enabled 2FA. So I suppose this is of limited value, at least at the moment. Relevant warehouse issue: https://github.com/pypa/warehouse/issues/994.

woodruffw on May 30, 2019 [–]

Implementor here. Yep, this is correct: 2FA (TOTP currently, WebAuthn is in the pipeline[1]) will protect sign-ons in the PyPI web interface, and we (Trail of Bits) will be adding support for scoped API keys for uploads.

[1]: https://github.com/pypa/warehouse/pull/5795

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact