undefined | Better HN

0 pointsWowfunhappy3y ago0 comments

Is PyPI requiring maintainers to use a hardware key? If not, I don’t understand how this policy is helpful.

Anyone who hadn’t already turned on 2FA is going to use the most frictionless so-called second factor they can.

0 comments

They've been offering people hardware keys for free.

That's a great initiative, but I expect the maintainers who are interested to be the ones who've already turned on (some lesser form of) 2FA voluntarily.

Anyone who is turning on 2FA because of this requirement is going to select the most frictionless method of complying with the mandate. Which will not be a hardware key.

staticassertion3y ago

OK? So more people use TOTP and there's a marginal security win. And maybe a few use a token, and there's a significant win.

1 more reply

j / k navigate · click thread line to collapse

0 pointsWowfunhappy3y ago0 comments

Is PyPI requiring maintainers to use a hardware key? If not, I don’t understand how this policy is helpful.

Anyone who hadn’t already turned on 2FA is going to use the most frictionless so-called second factor they can.

0 comments

staticassertion3y ago

They've been offering people hardware keys for free.

https://pypi.org/security-key-giveaway/

WowfunhappyOP3y ago

That's a great initiative, but I expect the maintainers who are interested to be the ones who've already turned on (some lesser form of) 2FA voluntarily.

Anyone who is turning on 2FA because of this requirement is going to select the most frictionless method of complying with the mandate. Which will not be a hardware key.

staticassertion3y ago

OK? So more people use TOTP and there's a marginal security win. And maybe a few use a token, and there's a significant win.

1 more reply

j / k navigate · click thread line to collapse