Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require 2FA enrollment for all new users #13762

Closed
Tracked by #14010
ewdurbin opened this issue May 26, 2023 · 4 comments · Fixed by #14294
Closed
Tracked by #14010

Require 2FA enrollment for all new users #13762

ewdurbin opened this issue May 26, 2023 · 4 comments · Fixed by #14294
Assignees
@miketheman
Labels
2FA feature request

Comments

@ewdurbin
Copy link
Member

What's the problem this feature will solve?

Since we will require it for all uploads beginning in 2024, we should add 2FA enrollment for all new users as soon as possible.

Describe the solution you'd like

Add 2FA enrollment to routine new user registration flow.
@ewdurbin ewdurbin added feature request requires triaging maintainers need to do initial inspection of issue and removed requires triaging maintainers need to do initial inspection of issue labels May 26, 2023
@ewdurbin ewdurbin mentioned this issue May 26, 2023
Closed
@dstufft dstufft added the 2FA label May 26, 2023
@dstufft dstufft mentioned this issue May 26, 2023
Closed
@miketheman miketheman self-assigned this Jun 23, 2023
@di di mentioned this issue Jun 23, 2023
Closed
22 tasks
@miketheman
Copy link
Member

User Registration experience today:

  1. Visit registration page
  2. Complete registration signup form
  3. User is now logged in, and an email has been sent for verification

At this point, there's nothing preventing the user from never verifying their email address, other than wanting to publish a package - Create API Token requires a verified email.

  1. User verifies email, they can create an API token, and also start 2FA enrollment

The question is

At what step of the flow should we require the user to enroll in 2FA?

  • Should we perform a similar check as email verification for whether 2FA is enrolled prior to creating an API token?
  • Should we require a verified email address/2FA before allowing logged-in actions?

Basically, something about the user registration flow has to change, and today we allow unverified registrations to continue to use the logged-in aspects of PyPI - manage collaborators, yank/delete releases, setup trusted publishing, etc.

@miketheman miketheman added the needs discussion a product management/policy issue maintainers and users should discuss label Jun 30, 2023
@di
Copy link
Member

di commented Jun 30, 2023

Should we require a verified email address/2FA before allowing logged-in actions?

I think this makes sense.

@miketheman
Copy link
Member

#14126 implemented the requirement for having a verified primary email for management actions other than account management.

miketheman added a commit to miketheman/warehouse that referenced this issue Aug 7, 2023
@miketheman
feat: require 2fa for new users
d575d07 
Hooks into security policy to require all non-account management actions
to have a form of 2FA set up.

Adds a time-based restriction for new users, which we can remove when we
want to enforce for everyone.

Resolves pypi#13762

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman miketheman mentioned this issue Aug 7, 2023
Merged
@ewdurbin
Copy link
Member Author

ewdurbin commented Aug 7, 2023

Thank you @miketheman !

@miketheman miketheman removed the needs discussion a product management/policy issue maintainers and users should discuss label Aug 7, 2023
miketheman added a commit to miketheman/warehouse that referenced this issue Sep 7, 2023
@miketheman
feat: require 2fa for new user to upload as well
fd9c7c9 
Expand the policy to include file upload actions.

Follows pypi#14294
Refs pypi#13762

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman miketheman mentioned this issue Sep 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miketheman miketheman

Labels
2FA feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: require 2fa for new users miketheman/warehouse
4 participants
@dstufft @di @miketheman @ewdurbin