Enforcement of 2FA for upload.pypi.org begins today

Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.

This change has been planned since 2FA was rolled out in 2019. In February of 2022 we began notifying users on upload that this change was coming.

If you have 2FA enabled and have been using only your password to upload, the following email is likely familiar to you:

Sample notice email — A sample notice email sent when users with 2FA enabled upload using only their password.

Initially, we intended for this notice to live for six months before we began enforcement.

However, some valid concerns were raised regarding the use of user-scoped API tokens for new project creation.

With the introduction of Trusted Publishers PyPI now provides a way for users to publish new projects without provisioning a user-scoped token, and to continue publishing without ever provisioning a long lived API token whatsoever.

Given this, and our commitment to further rolling out 2FA across PyPI, we are now enforcing this policy.

Ee Durbin is the Director of Infrastructure at the Python Software Foundation. They have been contributing to keeping PyPI online, available, and secure since 2013.