
PyPI now offers two-factor auth - oefrha
https://pythoninsider.blogspot.com/2019/05/use-two-factor-auth-to-improve-your.html
======
avian
Am I missing something or is there currently no way to print out a list of
recovery codes? Will I lock myself out of my account if I lose my phone?

Edit: There's a ticket already opened for that

[https://github.com/pypa/warehouse/issues/5800](https://github.com/pypa/warehouse/issues/5800)

~~~
mfgs
You won't lock yourself out. I just did a quick test and if you reset your
password (via an email link) then you are automatically logged in. At this
point you can even disable 2FA. So 2FA is protecting against logging in with a
stolen password, but it's not protecting against logging in if you have access
to the account's email account.

Whether or not that's the intended behaviour is another question...

------
eesmith
The FAQ says "you were asked to provision an application (usually a mobile
phone app) in order to generate authentication codes".

As far as I could tell, the only way to provision an application was through a
mobile phone app.

I don't have a smart phone (haven't felt like I needed one).

The setup page says "Scan the QR code with your application of choice".

I don't have anything that can scan a QR code.

What are the non-mobile ways to use 2FA with PyPI?

The FAQ only links to apps for smart phones.

~~~
thrwway190531
>I don't have a smart phone (haven't felt like I needed one).

super off-topic but my phone and desktop both only have 4 gb of RAM. the phone
seems to say "all right boys and girls we got 4 GB here let's try and make it
work. Let's dust off these O() notations etc". meanwhile my mehsktop is like
come on you're not really going to open another tab" and rolls it eyes at me,
makes me feel like I should come back when I have 4 Tb of RAM and a 64-core
monster. Right now I have 8 tabs open on my desktop and I feel like I need to
be closing some. seeing the ;) sign instead of the tab count on mobile is no
problem. (it does that over 100 tabs).

you might want to give mobile a try just because it's like not being treated
like a second-class citizen anymore. (since your browser's devs don't have 64
GB on theirs either.) if you get a data plan the messenger apps (facebook
messenger, whatsapp and viber) are very convenient as well.

I don't use any other apps daily except maps and evernote.

~~~
eesmith
You have felt the need for more desktop RAM but haven't done so.

I haven't felt the need for a smart phone, and haven't done so.

These are different, yes?

FWIW, I've felt the need to not have a smart phone. My feature phone is small;
I can drop it in just about any pocket. It's cheap; I've had four phones which
ended up in the laundry (see 'just about any pocket'), and destroyed phones
other ways, and $20/phone means I don't worry about it. And I love having a 1+
week charge time.

------
oefrha
Actually, the upload API doesn't seem to be protected -- I just uploaded a
package to test.pypi.org with twine using nothing but my old pypirc despite
having enabled 2FA. So I suppose this is of limited value, at least at the
moment.

Relevant warehouse issue:
[https://github.com/pypa/warehouse/issues/994](https://github.com/pypa/warehouse/issues/994).

~~~
woodruffw
Implementor here. Yep, this is correct: 2FA (TOTP currently, WebAuthn is in
the pipeline[1]) will protect sign-ons in the PyPI web interface, and we
(Trail of Bits) will be adding support for scoped API keys for uploads.

[1]:
[https://github.com/pypa/warehouse/pull/5795](https://github.com/pypa/warehouse/pull/5795)

