Not a feature request! Using 2FA without a phone?

[Mrodent]

This isn't a "bug". But it's not a feature request either. I'm not clear about 2FA.

I'm trying to learn about best practice for Python library modules and am following this. This tells me I have to set up PyPi. So I've created an account.

I now understand that PyPi can't be used without enabling 2FA.

In my opinion it would be extremely silly for me to have to use my phone for this purpose, given that I'll always be sitting at a computer when I want to log in. And also bearing in mind that I don't anticipate having anything there which is so valuable that it needs that level (2FA) of security. So:

• any way of just managing PyPi without 2FA? (this doesn't seem possible), or...

• any computer-based application (W10) which I can use to enable 2FA? PyPi gives you a page listing 5 or 6 "TOTP authentication applications". But they all seem to be apps for phones only, not for computers.

[cofiem]

Here's my understanding, noting that I'm not a maintainer.

Have a look at the PyPI blog for the reasoning behind requiring 2FA.

Two/multi-factor authentication usually aims to require something you know and something you have. This is why most 2FA approaches suggest phone apps.

Having said that, most password managers provide ways to set up 2FA next to the stored password.

A desktop app you could have a look at is keepass, it supports one-time passwords. Please assess if this app is right for you.

[woodruffw]

any way of just managing PyPi without 2FA? (this doesn't seem possible), or...

Nope, this is not possible: all PyPI accounts must have 2FA as of 2024-01.

Two/multi-factor authentication usually aims to require something you know and something you have. This is why most 2FA approaches suggest phone apps.

Correct, this is the underlying rationale: WebAuthn (and TOTP, in principle) both bind a secret to a device/application, and that device/application becomes a possession factor.

The suggestion to use a password manager that supports TOTP is a good one! Another possibility is to use a dedicated TOTP tool on your desktop, such as mintotp. Keep in mind these tools haven't been reviewed by PyPI itself.

[webknjaz]

One of the things I use is Bitwarden. It has both TOTP (in paid version) and Webauthn (available for free). I also have physical FIDO 2 keys.
Additionally, many modern computing devices implement passkeys but the name of the advertised technology is different. It can be Windows Hello or Touch ID — I think both likely rely on TPM 2 hardware that is pretty much built into all modern laptops and probably desktops too. Phones also implement this.

[woodruffw]

Thanks @cofiem and @webknjaz for the suggestions! I'm going to close this, since I believe this isn't actionable from PyPI's side: 2FA is mandatory (whether TOTP or WebAuthn), and users who can't perform TOTP from a phone should consider using either a desktop client or a CLI that can handle TOTP (or use a password manager that supports Passkeys).