Python lifters: Enable two-factor authentication for PyPi

In case you missed it, the Python Software Foundation announced earlier today that PyPi now supports two-factor authentication! Congratulations to the community for releasing this – we know it was a huge undertaking.

We strongly encourage that all lifters use two-factor authentication with package registries that support it. Although we do not have an official lifter task for this (yet!), we recommend that you turn it on now and share the news with the rest of your contributors. And let us know when you do! Tidelift subscribers will definitely appreciate knowing that lifters of their packages are taking an extra step to securing access to their package.

For our Javascript and Ruby lifters, npm and rubygems both also support 2FA. Thanks to everyone that’s enabled this for their account already!


Could we also please include source control platforms, such as GitHub and GitLab, as part of a future 2FA Lifter task? I’d love to see 2FA across the entire supply chain, from source to package registry.

Yeah, absolutely. Same problem (for now) that we can’t verify it, though. (If anyone has creative ideas on that front, by all means let us know…)

1 Like

@luis if you only want to verify that the user has enabled 2FA on their account, you may register Tidelift as an OAuth application on, and then query the authenticated user to fetch the two_factor_authentication property from the response object.

GitLab has similar OAuth capabilities for fetching the user’s 2FA status.

In both cases, though, that only indicates whether the current user has 2FA setup. It does not indicate whether all users with access to the source code have 2FA setup.

For that, a GitHub App may be more appropriate. With a GitHub App you can query for organization information and fetch the two_factor_requirement_enabled property from the response object. This latter approach will indicate whether access to the source repository is restricted to only users with 2FA enabled.

GitLab does not currently expose group-level 2FA configuration in their API. There’s an issue pending to expose that information -

Whoa, great to know - in a quick scan we hadn’t seen that capability. I suspect we’d probably start with lifters-only, but the ability to do that at the project level is really interesting too.

(And if anyone has pointers to similar APIs in the package managers, we’re all ears.)