[meta] 2FA enforcement rollout

[di]

This is a meta-issue for the rollout for https://blog.pypi.org/posts/2023-06-01-2fa-enforcement-for-upload/, in rough order of priority:

• [x] https://github.com/pypi/warehouse/issues/13771
• [x] https://github.com/pypi/warehouse/issues/13766
• [x] https://github.com/pypi/warehouse/issues/13762
• [x] https://github.com/pypi/warehouse/issues/13773
• [x] https://github.com/pypi/warehouse/issues/13761
• [x] https://github.com/pypi/warehouse/issues/13768
• [x] https://github.com/pypi/warehouse/issues/13767
• [x] Add admin flag to activate 2FA requirement - https://github.com/pypi/warehouse/pull/15017
• [x] Publish 2-weeks-away blog post: https://github.com/pypi/warehouse/pull/15065 Add Banner pointing to post.
• [x] Update https://pypi.org/help/#twofa language: https://github.com/pypi/warehouse/pull/15066
• [x] Enable 2FA Everywhere via Admin Flag
• [x] Publish activated blog post https://github.com/pypi/warehouse/pull/15127
• [x] pypi-announce@python.org
• [x] discuss.python.org

---

Previously identified items. Evaluate whether implementation is still necessary.

• [x] https://github.com/pypi/warehouse/issues/13775
• [x] https://github.com/pypi/warehouse/issues/13776
• [x] https://github.com/pypi/warehouse/issues/13774
• [x] https://github.com/pypi/warehouse/issues/13769
• [x] https://github.com/pypi/warehouse/issues/13765
• [x] https://github.com/pypi/warehouse/issues/13770
• [x] https://github.com/pypi/warehouse/issues/13763

---

Other things

• [x] remove/change Critical Projects behavior vis a vis 2FA, since everyone will be required https://github.com/pypi/warehouse/pull/15131

[tarekziade]

Would it be possible to implement a password reset process for users that are locked out of their 2FA with recovery codes lost? Right now the manual recovery process takes several months which can be problematic if you need to update a package that has a security issue.

GH uses SSH keys, or previously used devices techniques, see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials#requesting-help-with-two-factor-authentication

Happy to help implementing something, or contributing in any way Thanks

[ewdurbin]

@di do you consider this closed now?

[di]

Yes!