Adding SMS Authentication for 2FA on PyPi

[anorprogrammer]

Summary:

PyPi's recent introduction of 2FA is commendable, but it lacks SMS authentication, a widely-used and accessible method. Adding SMS verification would enhance security and accessibility.

Proposed Solution: Integrate SMS authentication into PyPi's 2FA framework to provide users with an additional, convenient verification option.

Benefits:

1. Enhanced security
2. Accessibility for users without other verification methods
3. User convenience

Implementation Considerations:

• Collaboration with trusted SMS service providers
• Clear instructions for users
• Management of potential costs

Conclusion: Implementing SMS authentication aligns with PyPi's commitment to security and user-friendliness.

[woodruffw]

Thanks for the feature request @anorprogrammer!

PyPI's lack of SMS MFA is intentional: SMS MFA (and anything else that routes directly over phone networks, like voice MFA) is fundamentally insecure, and has been well within the reach of low-sophistication attackers for well over a decade. On top of being insecure, SMS MFA is operationally burdensome: SMS delivery is not globally consistent or reliable, and would represent a cost center for PyPI both in terms of message pricing and ongoing maintenance.

PyPI's decision to support just TOTP and WebAuth as MFA methods is a deliberate tradeoff: TOTP is less secure than WebAuthn, but is ubiquitous and does not require any dedicated hardware. If you have a device capable of filing a GitHub issue, then you are able to use TOTP (and most likely even WebAuthn, thanks to Passkeys).

TL;DR: PyPI does not and will never support insecure MFA methods like SMS. Doing so would substantially weaken the overall security of PyPI's MFA scheme, with no user benefits (given TOTP's ubiquity).

I'm linking some resources below that will hopefully further explain our decision here. I'm also happy to share tool or technical resources for configuring TOTP if you need them!

• Getting 2FA Right in 2019: this post explains much of the rationale behind PyPI's original 2FA development, including our intentional decision to not support SMS MFA.
• SS7 attacks on SMS back in 2017: low-to-moderate sophistication attackers have successfully pulled off credential theft via SS7 (targeting both SMS and voice) for 8+ years.
• Implementing Phishing-Resistant MFA: this guide from CISA explains that SMS and other SS7-routed MFA methods are the least-secure methods widely available.

[woodruffw]

I forgot to mention another component here: SMS MFA would require PyPI to maintain associations of user accounts to phone numbers, which would increase the overall volume of potentially privacy-sensitive data held by PyPI. PyPI's goal is to hold an absolute minimum amount of PII at any time, which would be impossible with SMS MFA.