I doubt Yubikey would help without some fancy setup. 2FA is required to sign into PyPI but that's it. When PyPI rolled it out I thought you'd have to use 2FA every time you publish. I thought they were taking security seriously. But no, you get your API token, save it to your computer, forget about it, and you can publish your packages forever. Now you can have Github automatically publish your packages. That's not any improvement to security. My Google security key is just collecting dust.
I'm now thinking about a system that can enforce that any line of code committed to the Git repo has been on the user's screen for at least X seconds. It could be a system completely isolated from the computer on which code is entered (e.g. via the HDMI cable).
Eh mine too. I got it because I had an essential package or whatever when they started forcing 2FA to people, and I thought twine would require me to authenticate with the key to be authorised to publish.
But they didn't touch twine at all. They just made me create a token and save it in a .txt file. That's it.
