1password Github 2fa



Bitwarden, the open source password manager, makes it easy to generate and store unique passwords for any browser or device. Create your free account on the platform with end-to-end encryption and flexible integration options for you or your business. 1Password’s biggest drawback is the lack of a free version, as the service costs $3 a month when billed annually, though you can try both the regular and family versions free for 30 days.

  1. 1password Add 2fa
  2. Github 2fa Microsoft Authenticator

Basics

My Account

Integrating

Administration of projects on PyPI

Troubleshooting

About

Basics

What's a package, project, or release?

We use a number of terms to describe software available on PyPI, like 'project', 'release', 'file', and 'package'. Sometimes those terms are confusing because they're used to describe different things in other contexts. Here's how we use them on PyPI:

A 'project' on PyPI is the name of a collection of releases and files, and information about them. Projects on PyPI are made and shared by other members of the Python community so that you can use them.

A 'release' on PyPI is a specific version of a project. For example, the requests project has many releases, like 'requests 2.10' and 'requests 1.2.1'. A release consists of one or more 'files'.

A 'file', also known as a 'package', on PyPI is something that you can download and install. Because of different hardware, operating systems, and file formats, a release may have several files (packages), like an archive containing source code or a binary wheel.

How do I install a file (package) from PyPI?

To learn how to install a file from PyPI, visit the installation tutorial on the Python Packaging User Guide.

How do I package and publish my code for PyPI?

For full instructions on configuring, packaging and distributing your Python project, refer to the packaging tutorial on the Python Packaging User Guide.

What's a trove classifier?

Classifiers are used to categorize projects on PyPI. See the classifiers page for more information, as well as a list of valid classifiers.

What's a 'yanked' release?

A yanked release is a release that is always ignored by an installer, unless it is the only release that matches a version specifier (using either or ). See PEP 592 for more information.

My account

Why do I need a verified email address?

Currently, PyPI requires a verified email address to perform the following operations:

  • Register a new project.
  • Upload a new version or file.

The list of activities that require a verified email address is likely to grow over time.

This policy will allow us to enforce a key policy of PEP 541 regarding maintainer reachability. It also reduces the viability of spam attacks to create many accounts in an automated fashion.

You can manage your account's email addresses in your account settings. This also allows for sending a new confirmation email for users who signed up in the past, before we began enforcing this policy.

Why is PyPI telling me my password is compromised?

PyPI itself has not suffered a breach. This is a protective measure to reduce the risk of credential stuffing attacks against PyPI and its users.

Each time a user supplies a password — while registering, authenticating, or updating their password — PyPI securely checks whether that password has appeared in public data breaches.

During each of these processes, PyPI generates a SHA-1 hash of the supplied password and uses the first five (5) characters of the hash to check the Have I Been Pwned API and determine if the password has been previously compromised. The plaintext password is never stored by PyPI or submitted to the Have I Been Pwned API.

PyPI will not allow such passwords to be used when setting a password at registration or updating your password.

If you receive an error message saying that 'This password appears in a breach or has been compromised and cannot be used', you should change it all other places that you use it as soon as possible.

If you have received this error while attempting to log in or upload to PyPI, then your password has been reset and you cannot log in to PyPI until you reset your password.

What should I do if I notice suspicious activity on my account?

All PyPI user events are stored under security history in account settings. If there are any events that seem suspicious, take the following steps:

  • Contact the PyPI admins about the event at admin@pypi.org

Why is PyPI telling me my API token is compromised?

1password

A PyPI API token linked to your account was posted on a public website. It was automatically revoked, but before regenerating a new one, please check the email you received and attempt to determine the cause. The suspicious activity section applies too.

What is two factor authentication and how does it work on PyPI?

Two factor authentication (2FA) makes your account more secure by requiring two things in order to log in: something you know and something you own.

In PyPI's case, 'something you know' is your username and password, while 'something you own' can be an application to generate a temporary code, or a security device (most commonly a USB key).

It is strongly recommended that you set up two factor authentication on your PyPI account.

Users who have chosen to set up two factor authentication will be asked to provide their second method of identity verification during the log in process. This only affects logging in via a web browser, and not (yet) package uploads.

You can follow the improvements to 2FA on discuss.python.org.

How does two factor authentication with an authentication application (TOTP) work? How do I set it up on PyPI?

PyPI users can set up two-factor authentication using any authentication application that supports the TOTP standard.

TOTP authentication applications generate a regularly changing authentication code to use when logging into your account.

Because TOTP is an open standard, there are many applications that are compatible with your PyPI account. Popular applications include:

  • Google Authenticator for Android or iOS (proprietary)
  • Microsoft Authenticator (proprietary)
  • Duo Mobile for Android or iOS (proprietary)
  • Authy (proprietary)
  • FreeOTP+ (open source)
  • FreeOTP (open source)

Some password managers (e.g. 1Password) can also generate authentication codes. For security reasons, PyPI only allows you to set up one application per account.

To set up 2FA with an authentication application:

  1. Open an authentication (TOTP) application
  2. Log in to your PyPI account, go to your account settings, and choose 'Add 2FA with authentication application'
  3. PyPI will generate a secret key, specific to your account. This is displayed as a QR code, and as a text code.
  4. Scan the QR code with your authentication application, or type it in manually. The method of input will depend on the application you have chosen.
  5. Your application will generate an authentication code - use this to verify your set up on PyPI

The PyPI server and your application now share your PyPI secret key, allowing your application to generate valid authentication codes for your PyPI account.

Next time you log in to PyPI you'll need to:

  1. Provide your username and password, as normal
  2. Open your authentication application to generate an authentication code
  3. Use this code to finish logging into PyPI

Note: If you lose your authentication application and can no longer log in, you may permanently lose access to your account. You should generate and securely store recovery codes to regain access in that event..

We recommend that all PyPI users set up at least two supported two factor authentication methods and provision recovery codes.

If you've lost access to all two factor methods for your account and do not have recovery codes, you can request help with account recovery.

How does two factor authentication with a security device (e.g. USB key) work? How do I set it up on PyPI?

A security device is a USB key or other device that generates a one-time password and sends that password to the browser. This password is then used by PyPI to authenticate you as a user.

To set up two factor authentication with a USB key, you'll need:

  • To use a browser that supports WebAuthn and PublicKeyCredential, as this is the standard implemented by PyPI.
  • To be running JavaScript on your browser
  • To use a USB key that adheres to the FIDO U2F specification:
    • Popular keys include Yubikey, Google Titan and Thetis.
    • Note that some older Yubico USB keys do not follow the FIDO specification, and will therefore not work with PyPI

Follow these steps:

  1. Log in to your PyPI account, go to your account settings, and choose 'Add 2FA with security device (e.g. USB key)'
  2. Give your key a name. This is necessary because it's possible to add more than one security device to your account.
  3. Click on the 'Set up security device' button
  4. Insert and touch your USB key, as instructed by your browser

Once complete, your USB key will be registered to your PyPI account and can be used during the log in process.

Next time you log in to PyPI you'll need to:

  1. Provide your username and password, as normal
  2. Insert and touch your USB key to finish logging into PyPI

Note: If you lose your security device and can no longer log in, you may permanently lose access to your account. You should generate and securely store recovery codes to regain access in that event..

We recommend that all PyPI users set up at least two supported two factor authentication methods and provision recovery codes.

If you've lost access to all two factor methods for your account and do not have recovery codes, you can request help with account recovery.

What devices (other than a USB key) can I use as a security device?

There is a growing ecosystem of devices that are FIDO compliant, and can therefore be used with PyPI.

Emerging solutions include biometric (facial and fingerprint) scanners and FIDO compatible credit cards. There is also growing support for mobile phones to act as security devices.

As PyPI's two factor implementation follows the WebAuthn standard, PyPI users will be able to take advantage of any future developments in this field.

How does two factor authentication with a recovery code work? How do I set it up on PyPI?

If you lose access to your authentication application or security device, you can use these codes to sign into PyPI.

Recovery codes are one time use. They are not a substitute for a authentication application or security device and should only be used for recovery. After using a recovery code to sign in, it becomes inactive.

To provision recovery codes:

  1. Log in to your PyPI account, go to your account settings, and choose 'Generate recovery codes'
  2. Securely store the displayed recovery codes! Consider printing them out and storing them in a safe location or saving them in a password manager.

If you lose access to your stored recovery codes or use all of them, you can get new ones by selecting 'Regenerate recovery codes' in your account settings.

To sign in with a recovery code:

  1. Provide your username and password, as normal
  2. When prompted for two factor authentication, select 'Login using recovery codes'
  3. As each code can be used only once, you might want to mark the code as used
  4. If you have few recovery codes remaining, you may also want to generate a new set using the 'Regenerate recovery codes' button in your account settings.

How can I use API tokens to authenticate with PyPI?

API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI.

You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project.

We strongly recommend you authenticate with an API token where possible.

To make an API token:

  • Verify your email address (check your account settings)
  • In your account settings, go to the API tokens section and select 'Add API token'

To use an API token:

  • Set your username to __token__
  • Set your password to the token value, including the pypi- prefix

Where you edit or add these values will depend on your individual use case. For example, some users may need to edit their .pypirc file, while others may need to update their CI configuration file (e.g. .travis.yml if you are using Travis).

Advanced users may wish to inspect their token by decoding it with base64, and checking the output against the unique identifier displayed on PyPI.

1password Add 2fa

Why do certain actions require me to confirm my password?

PyPI asks you to confirm your password before you want to perform a sensitive action. Sensitive actions include things like adding or removing maintainers, deleting distributions, generating API tokens, and setting up two-factor authentication.

You'll only have to re-confirm your password if it's been more than an hour since you last confirmed it.

We strongly recommend you only perform such actions on your personal, password-protected computer.

Integrating

Does PyPI have APIs I can use?

Yes, including RSS feeds of new packages and new releases. See the API reference.

How can I run a mirror of PyPI?

If you need to run your own mirror of PyPI, the bandersnatch project is the recommended solution. Note that the storage requirements for a PyPI mirror would exceed 1 terabyte—and growing!

How do I get notified when a new version of a project is released?

You can subscribe to the project releases RSS feed. Additionally, there are several third-party services that offer comprehensive monitoring and notifications for project releases and vulnerabilities listed as GitHub apps.

Where can I see statistics about PyPI, downloads, and project/package usage?

You can analyze PyPI project/package metadata and download usage statistics via our public dataset on Google BigQuery.

Libraries.io provides statistics for PyPI projects (example, API) including GitHub stars and forks, dependency tracking (in progress), and other relevant factors.

For recent statistics on uptime and performance, see our status page.

Administration of projects on PyPI

How can I publish my private packages to PyPI?

PyPI does not support publishing private packages. If you need to publish your private package to a package index, the recommended solution is to run your own deployment of the devpi project.

Why isn't my desired project name available?

Your publishing tool may return an error that your new project can't be created with your desired name, despite no evidence of a project or release of the same name on PyPI. Currently, there are three primary reasons this may occur:

  • The project name conflicts with a Python Standard Library module from any major version from 2.5 to present.
  • The project name has been explicitly prohibited by the PyPI administrators. For example, pip install requirements.txt is a common typo for pip install -r requirements.txt, and should not surprise the user with a malicious package.
  • The project name has been registered by another user, but no releases have been created.

How do I claim an abandoned or previously registered project name?

Follow the 'How to request a name transfer' section of PEP 541.

What collaborator roles are available for a project on PyPI?

There are two possible roles for collaborators:

Maintainer: Can upload releases for a package. Cannot add collaborators. Cannot delete files, releases, or the project.

Owner: Can upload releases. Can add other collaborators. Can delete files, releases, or the entire project.

How do I become an owner/maintainer of a project on PyPI?

Only the current owners of a project have the ability to add new owners or maintainers. If you need to request ownership, you should contact the current owner(s) of the project directly. Many project owners provide their contact details in the 'Author' field of the 'Meta' details on the project page.

If the owner is unresponsive, see How do I claim an abandoned or previously registered project name?

How can I upload a project description in a different format?

By default, an upload's description will render with reStructuredText. If the description is in an alternate format like Markdown, a package may set the long_description_content_type in setup.py to the alternate format.

Refer to the Python Packaging User Guide for details on the available formats.

PyPI will reject uploads if the description fails to render. To check a description locally for validity, you may use readme_renderer, which is the same description renderer used by PyPI.

How do I get a file size limit exemption or increase for my project?

If you can't upload your project's release to PyPI because you're hitting the upload file size limit, we can sometimes increase your limit. Make sure you've uploaded at least one release for the project that's under the limit (a developmental release version number is fine). Then, file an issue and tell us:

  • A link to your project on PyPI (or Test PyPI)
  • The size of your release, in megabytes
  • Which index/indexes you need the increase for (PyPI, Test PyPI, or both)
  • A brief description of your project, including the reason for the additional size.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

How do I get a total project size limit exemption or increase for my project?

If you can't upload your project's release to PyPI because you're hitting the project size limit, first remove any unnecessary releases or individual files to lower your overall project size.

If that is not possible, we can sometimes increase your limit. File an issue and tell us:

  • A link to your project on PyPI (or Test PyPI)
  • The total size of your project, in gigabytes
  • A brief description of your project, including the reason for the additional size.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

Troubleshooting

I forgot my PyPI password. Can you help me?

If you've forgotten your PyPI password but you remember your email address or username, follow these steps to reset your password:

  1. Go to reset your password.
  2. Enter the email address or username you used for PyPI and submit the form.
  3. You'll receive an email with a password reset link.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

I've lost access to my PyPI account. Can you help me?

If you've lost access to your PyPI account due to:

  • Lost access to the email address associated with your account
  • Lost two factor authentication application, device, and recovery codes

You can proceed to file an issue on our tracker to request assistance with account recovery.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

Why am I getting a 'Invalid or non-existent authentication information.' error when uploading files?

If you are using a username and password for uploads:

  1. Ensure that your username and password are correct.
  2. Ensure that your username and password do not contain any trailing characters such as newlines.

If you are using an API Token for uploads:

  1. Ensure that your API Token is valid and has not been revoked.
  2. Ensure that your API Token is properly formatted and does not contain any trailing characters such as newlines.

In both cases, remember that PyPI and TestPyPI each require you to create an account, so your credentials may be different.

If you're using Windows and trying to paste your password or token in the Command Prompt or PowerShell, note that Ctrl-V and Shift+Insert won't work. Instead, you can use 'Edit > Paste' from the window menu, or enable 'Use Ctrl+Shift+C/V as Copy/Paste' in 'Properties'. This is a known issue with Python's getpass module.

Why am I getting 'No matching distribution found' or 'Could not fetch URL' errors during pip install?

Transport Layer Security, or TLS, is part of how we make sure connections between your computer and PyPI are private and secure. It's a cryptographic protocol that's had several versions over time. PyPI turned off support for TLS versions 1.0 and 1.1 in April 2018. Learn why on the PSF blog.

If you are having trouble with pip install and get a No matching distribution found or Could not fetch URL error, try adding -v to the command to get more information:

pip install --upgrade -v pip

If you see an error like There was a problem confirming the ssl certificate or tlsv1 alert protocol version or TLSV1_ALERT_PROTOCOL_VERSION, you need to be connecting to PyPI with a newer TLS support library.

The specific steps you need to take will depend on your operating system version, where your installation of Python originated (python.org, your OS vendor, or an intermediate distributor), and the installed versions of Python, setuptools, and pip.

For help, go to the #pypa IRC channel on Freenode, file an issue at pypa/packaging-problems/issues, or post to the python-help mailing list, including your OS and installation details and the output of pip install --upgrade -vvv pip.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

I am having trouble using the PyPI website. Can you help me?

We take accessibility very seriously and want to make the website easy to use for everyone.

If you are experiencing an accessibility problem, report it to us on GitHub, so we can try to fix the problem, for you and others.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

Github 2fa Microsoft Authenticator

Why can't I manually upload files to PyPI, through the browser interface?

In a previous version of PyPI, it used to be possible for maintainers to upload releases to PyPI using a form in the web browser. This feature was deprecated with the new version of PyPI – we instead recommend that you use twine to upload your project to PyPI.

Why did my package or user registration get blocked?

Spammers return to PyPI with some regularity hoping to place their Search Engine Optimized phishing, scam, and click-farming content on the site. Since PyPI allows for indexing of the Long Description and other data related to projects and has a generally solid search reputation, it is a prime target.

When the PyPI administrators are overwhelmed by spam or determine that there is some other threat to PyPI, new user registration and/or new project registration may be disabled. Check our status page for more details, as we'll likely have updated it with reasoning for the intervention.

Why am I getting a 'Filename or contents already exists' or 'Filename has been previously used' error?

PyPI will return these errors for one of these reasons:

  • Filename has been used and file exists
  • Filename has been used but file no longer exists
  • A file with the exact same content exists

PyPI does not allow for a filename to be reused, even once a project has been deleted and recreated.

To avoid this situation, use Test PyPI to perform and check your upload first, before uploading to pypi.org.

How do I request a new trove classifier?

If you would like to request a new trove classifier file a pull request on the pypa/trove-classifiers project. Be sure to include a brief justification of why it is important.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

Where can I report a bug or provide feedback about PyPI?

If you're experiencing an issue with PyPI itself, we welcome constructive feedback and bug reports via our issue tracker. Please note that this tracker is only for issues with the software that runs PyPI. Before writing a new issue, first check that a similar issue does not already exist.

If you are having an issue is with a specific package installed from PyPI, you should reach out to the maintainers of that project directly instead.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

About

Who maintains PyPI?

PyPI is powered by the Warehouse project; Warehouse is an open source project developed under the umbrella of the Python Packaging Authority (PyPA) and supported by the Python Packaging Working Group (PackagingWG).

The PyPA is an independent group of developers whose goal is to improve and maintain many of the core projects related to Python packaging.

The PackagingWG is a working group of the Python Software Foundation (PSF) whose goal is to raise and disburse funds to support the ongoing improvement of Python packaging. Most recently it secured an award from the Open Technology Fund whose funding is enabling developers to improve Warehouse's security and accessibility.

What powers PyPI?

PyPI is powered by Warehouse and by a variety of tools and services provided by our generous sponsors.

Can I depend on PyPI being available?

As of April 16, 2018, PyPI.org is at 'production' status, meaning that it has moved out of beta and replaced the old site (pypi.python.org). It is now robust, tested, and ready for expected browser and API traffic.

PyPI is heavily cached and distributed via CDN thanks to our sponsor Fastly and thus is generally available globally. However, the site is mostly maintained by volunteers, we do not provide any specific Service Level Agreement, and as could be expected for a giant distributed system, things can and sometimes do go wrong. See our status page for current and past outages and incidents. If you have high availability requirements for your package index, consider either a mirror or a private index.

How can I contribute to PyPI?

We have a huge amount of work to do to continue to maintain and improve PyPI (also known as the Warehouse project).

Financial: We would deeply appreciate your donations to fund development and maintenance.

Development: Warehouse is open source, and we would love to see some new faces working on the project. You do not need to be an experienced open-source developer to make a contribution – in fact, we'd love to help you make your first open source pull request!

If you have skills in Python, ElasticSearch, HTML, SCSS, JavaScript, or SQLAlchemy then skim our 'Getting started' guide, then take a look at the issue tracker. We've created a 'Good first issue' label – we recommend you start here.

Issues are grouped into milestones; working on issues in the current milestone is a great way to help push the project forward. If you're interested in working on a particular issue, leave a comment and we can guide you through the contribution process.

Stay updated: You can also follow the ongoing development of the project on the distutils-sig mailing list and the Python packaging forum on Discourse.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PSF Code of Conduct.

How do I keep up with upcoming changes to PyPI?

Changes to PyPI are generally announced on both the pypi-announce mailing list and the PSF blog under the label 'pypi'. The PSF blog also has Atom and RSS feeds for the 'pypi' label.

What does the 'beta feature' badge mean? What are Warehouse's current beta features?

When Warehouse's maintainers are deploying new features, at first we mark them with a small 'beta feature' symbol to tell you: this should probably work fine, but it's new and less tested than other site functionality.

Currently, no features are in beta.

How do I pronounce 'PyPI'?

'PyPI' should be pronounced like 'pie pea eye', specifically with the 'PI' pronounced as individual letters, rather as a single sound. This minimizes confusion with the PyPy project, which is a popular alternative implementation of the Python language.

Resources

Looking for something else? Perhaps these links will help:

  • Python.org (main Python website)
  • Python community page (lists IRC channels, mailing lists, etc.)

Contact

The Python Packaging Authority (PyPA) is a working group who work together to improve Python packaging. If you'd like to get in touch with a core packaging developer, use #pypa on IRC (freenode), or browse the online board.

Inspired by the original gist.

This snippet will extract all the OTP (2FA) keys from Authy, and convert them to scannable QR codes and URLs you can copy-paste into e.g. 1password. Unlike other approaches, this consumes the internal digits record, making it compatible with authy-specific extra long 2FA codes.

Usage

  1. Install the Authy Chrome Extension and the Authy App.
  2. Open the authy app from the browser icon in the top right, and view some TOTP codes. This decrypts them so we can extract them.
  3. Visit the Chrome Inspector Page (chrome://inspect/#apps) and click 'inspect' under 'Authy'. If that's not there, you likely need to open the Authy app from chrome://apps/.
  4. In the window that pops up, click 'console' in the top menu, and paste in the below snippet:

NB: it's unwise to post screenshots of these codes representing your 2FA secrets :p