Differences between revisions 22 and 23
Revision 22 as of 2019-06-17 14:09:49
Size: 5383
Comment: date
Revision 23 as of 2019-06-17 14:28:35
Size: 5870
Comment: u2f
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Warehouse is the code behind the Python Package Repository ([[https://pypi.org/|PyPI]]). We are seeking maintainers of Projects on PyPI to test our new two-factor auth functionality and send us bug reports. Warehouse is the code behind the Python Package Repository ([[https://pypi.org/|PyPI]]). We are seeking maintainers of Projects on PyPI to test our new two-factor auth functionality and send us bug reports. !WebAuthn support is in beta; please help us shake the bugs out!
Line 20: Line 20:
And starting Monday, June 17th, we'll also support WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any [[https://fidoalliance.org/specifications/download/|FIDO U2F compatible key]] and follows the [[https://www.w3.org/TR/webauthn/}WebAuthn standard]]. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in. And starting Monday, June 17th, we'll also support !WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any [[https://fidoalliance.org/specifications/download/|FIDO U2F compatible key]] and follows the [[https://www.w3.org/TR/webauthn/|!WebAuthn standard]]. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in.

The !WebAuthn support is '''in beta''' so check the "caution" warning below.
Line 28: Line 30:

During this testing period, if things go awry, there's a chance we will need to wipe tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on your user account before trying the feature, to make potential account recovery smoother.
!
During this beta testing period, if things go awry, there's a chance we will need to wipe !WebAuthn tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on your user account before adding a second login auth factor, to make potential account recovery smoother.
Line 36: Line 38:
 * Add, disable, and remove 2FA token using U2F (WebAuthn)  * Add, disable, and remove 2FA token using U2F (!WebAuthn)
Line 52: Line 54:
 * block cookies and !JavaScript  * usually block cookies and !JavaScript (note that you can't set up a U2F key without !JavaScript)
Line 59: Line 61:

=== Setting up a U2F security key ===

See [[https://pypi.org/help/#2fa|our help docs]] for guidance on setting up your U2F security key. Please note that you cannot set up or use U2F for a second factor without turning on !JavaScript.

Help us test PyPI's 2-Factor Auth!

Warehouse is the code behind the Python Package Repository (PyPI). We are seeking maintainers of Projects on PyPI to test our new two-factor auth functionality and send us bug reports. WebAuthn support is in beta; please help us shake the bugs out!

Feedback on user experience, accessibility, and overall ease of use are welcome; we want to support your workflows for account management and package maintainership. Go to the test site at https://test.pypi.org/ and try it out!

Guidelines for Particpation

  • By participating, you agree to abide by the PyPA Code of Conduct.

  • We strongly recommend you verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA.
  • You should sign up for the PyPI Announcement Mailing List for updates.

Changes we're making

To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option.

You can use 2FA right now on Test PyPI and on official PyPI. PyPI currently supports a single 2FA method: generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers.

And starting Monday, June 17th, we'll also support WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any FIDO U2F compatible key and follows the !WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in.

The WebAuthn support is in beta so check the "caution" warning below.

Two-factor authentication currently only applies to the login step, not package uploads.

Things to test

Most of these you can test on pypi.org. For testing destructive actions, like removing an owner, deleting a project, or deleting a release, please use test.pypi.org.

Caution (before you test)

! During this beta testing period, if things go awry, there's a chance we will need to wipe WebAuthn tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on your user account before adding a second login auth factor, to make potential account recovery smoother.

Reminder! Sign up for the PyPI Announcement Mailing List to be kept in the loop as we continue this process!

Workflows

  • Verify primary email address
  • Add, disable, and remove 2FA token using TOTP
  • Add, disable, and remove 2FA token using U2F (WebAuthn)

  • Login/Logout
  • Set multiple tokens and login
  • User Registration and Confirmation
  • Password Reset

Testers we need

In particular, please help us test this if any of these apply to you:

  • use Windows
  • usually visit PyPI on a mobile device
  • are an organization where users share an auth token within a group
  • have 4+ maintainers or owners for one project
  • use an unusual TOTP app or U2F token
  • have a slow Internet connection
  • usually block cookies and JavaScript (note that you can't set up a U2F key without JavaScript)

  • maintain 20+ projects
  • created your PyPI account 6+ years ago

Setting up a TOTP application

See our help docs for guidance on choosing a TOTP app for desktop or mobile.

Setting up a U2F security key

See our help docs for guidance on setting up your U2F security key. Please note that you cannot set up or use U2F for a second factor without turning on JavaScript.

Security bugs

If you find any potential security vulnerabilities, please follow our published security policy. Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email one or more of our maintainers.

Our next steps

We expect to move on to working on scoped API keys to make package upload more secure, then further security, accessibility, and internationalization tasks per the Warehouse roadmap). Thanks to the Open Technology Fund for funding this work. More progress reports at the Packaging Working Group's wiki page.

Contact us

Security issues: email security @ python dot org

GitHub for all other bug reports & feature requests:https://github.com/pypa/warehouse/issues/new

IRC: #pypa-dev on Freenode (someone's usually there 10am-5pm Central Time on weekdays)

Email: distutils-sig mailing list

Thank you for testing Warehouse! You're helping us secure this ecosystem, and future users of PyPI will appreciate it. :)

WarehousePackageMaintainerTesting (last edited 2019-08-15 21:22:16 by SumanaHarihareswara)

Unable to view page? See the FrontPage for instructions.