Skip to main content

PyPI 2FA Security Key Giveaway

Two Titan security keys, one USB-A and one USB-C

Pictured: two Titan security keys, one USB-A and the other USB-C. (Source: Google)

In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months, and more details are included below.

Additionally, to ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

Eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (either USB-C or USB-A), including free shipping.

FAQ

Answers to frequently asked questions regarding this effort:

What determines if a project is a critical project?

PyPI determines eligibility based on download counts derived from PyPI's public dataset of download statistics. Any project in the top 1% of downloads over the prior 6 months is designated as critical.

How many projects are designated as critical projects?

At the time of writing, there are more than 350K projects on PyPI, resulting in a 'critical' designation of more than 3,500 projects. This determination is recalculated on a daily basis.

Can a project opt-out or become non-critical in any way?

No, once the project has been designated as critical it retains that designation indefinitely.

What users are included in the 2FA requirement?

Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement.

What users are eligible to receive security keys?

PyPI users who are eligible to receive security keys must be maintainers of critical projects who have not previously enabled 2FA on PyPI and are able to ship their keys to an eligible region.

What regions are eligible to receive security keys?

Titan keys are only approved for sale in certain geographic regions, and thus can only be shipped to the following countries: Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States.

We only use your response to this question to determine eligibility and do not store it or associate it with your PyPI account.

What should maintainers in non-eligible regions do?

Unfortunately we are only able to distribute security keys to maintainers in eligible regions. If you are a maintainer of a critical project, and need to enable 2FA, but not in an eligible region, there are two options:

Independently purchase a FIDO U2F security key from a security key vendor that is available in your region, such as Yubikey or Thetis. See How does two factor authentication with a security device (e.g. USB key) work? How do I set it up on PyPI?

Alternatively, you should enable 2FA via a TOTP application instead. See How does two factor authentication with an authentication application (TOTP) work? How do I set it up on PyPI?

How many keys are available?

A total of 4,000 keys are available to maintainers.

Do the promo codes expire?

The promo codes expire on October 1, 2022.

Why security keys instead of TOTP-based authentication applications?

Using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA. For a more thorough analysis of the differences between TOTP and WebAuthn, see this article from the team who implemented 2FA on PyPI in 2019.

Why two keys instead of one?

Without multiple 2FA options, effect of losing a 2FA method results in the need to fully recover an account, which is burdensome and time-consuming both for maintainers and PyPI administrators. Enabling multiple 2FA methods reduces the potential disruption if one is lost.

What should I do if I'm getting the error 'Promo code doesn't apply'?

Increase the quantity in the cart from 1 key to 2 keys. See Why two keys instead of one? for more details.

The key I want is not in stock, what should I do?

If the USB format that you want is not in stock in your region, you might consider using a USB-C to USB-A or USB-A to USB-C adapter with your security key.

If no keys are in stock in your region, you might consider waiting to redeem your promo code until stock has been replenished (note that codes expire on October 1, 2022).

I've got security keys already, what should I do?

See How does two factor authentication with a security device (e.g. USB key) work? How do I set it up on PyPI?

What should I do if I have a question that isn't answered here?

See PyPI's help page or contact admin@pypi.org.

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page