Skip to content

The PyPI Blog

2FA Required for PyPI

Two-factor Authentication is required for all users

It's January 1st, 2024, and PyPI now requires Two-factor authentication (2FA) for all users.

This post is a recognition of the hard work that went into making this a reality, and a thank you to all the users who have enabled 2FA on their accounts.

It is also a reminder to those who have not yet enabled 2FA, that you will need to do so before you can perform any management actions, or upload files to PyPI.

Once 2FA is enabled, you may perform management actions, including generating API Tokens or setting up Trusted Publishers (preferred) to upload files.

Incident Report: User Account Takeover

What happened?

A PyPI user's account was taken over and used to remove the user's ownership of 4 projects. This was not a malfunction of PyPI or using any vulnerability, rather the user's account was not sufficiently protected against account takeover.

The attacker added themselves as a collaborator to these projects, and removed the original owner. None of the projects had any modifications made to them other than ownership changes.

2FA Enforcement for New User Registrations

What's changing?

Starting today, newly registered users must enable 2FA before they can perform any management actions on PyPI. This change comes after we've also added a rule for accounts to have a verified, primary email address for the same set of management actions.

As a reminder, PyPI has supported adding 2FA since 2019.