PyPI Increases Security
Written by Kay Ewbank   
Thursday, 27 June 2019

The team developing PyPI, the Python Package Index, is adding WebAuthn support as a new beta feature. The support for U2F compatible hardware security keys will enable PyPI to offer a two-factor authentication login security method, work on which has been funded by a grant from the Open Technology Fund.


The new facility has been undergoing testing by users logging in to the canonical Python Package Index at and the test site at The technique involves the generation of a code through a Time-based One-Time Password (TOTP) application to make accounts more secure.

The facility is now being extended so that PyPI also supports WebAuthn security keys that are U2F compatible for a second login factor. This is a beta release, and involves a UF2 compatible security key such as those from Yubikey, Google Titan and Thetis. The key communicates via USB, NFC, or Bluetooth.  PyPI supports any FIDO U2F compatible key and follows the WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in.

Project maintainers and owners are being urged to log in and add a second factor. Those users who don't want to use a beta feature are recommended to use a TOTP application for the second factor.

2FA is only being used for logins via the website, and the intention is that the use will safeguard against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without users providing 2FA codes.

Moving forward, the developers of PyPI are working on implementing per-user API keys as an alternative form of multifactor authentication. This will be used for a number of areas, including the setup tools, twine, and PyPI auth flows. These will be application-specific tokens that are specific to individual users or projects, and will mean that users will be able to use token-based logins to make uploads more secure. There are also plans to put into place an advanced audit trail of sensitive user actions. 

With the core Python developers looking to slim down the standard library PyPI is going to be come more used as previously core modules have to move to it. Security is all the more important with its increase in importance.


More Information

PyPI Website

Related Articles

PyPI Granted $170,000

Python - Dead Batteries Included? 


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Run WebAssembly Components Inside Node.js With Jco

Jco 1.0 has been just announced by the Bytecode Alliance.It's a native JavaScript WebAssembly toolchain and runtime that runs Wasm components inside Node.js. Why is that useful?

Eclipse JKube 1.16 Goes GA

Eclipse JKube makes deploying your Java application to a Kubernetes cluster a breeze. Let's find out what's new.

More News

raspberry pi books



or email your comment to:



Last Updated ( Thursday, 27 June 2019 )