Warehouse: Define manual account recovery process
With the introduction of two factor authentication, we have decided that the PyPI admins will support manual account recovery, in _addition_ to optional recovery codes. I have opened this ticket to discuss and define this policy, and address the questions:
- In what circumstances will PyPI admins offer manual account recovery?
- What information will users have to provide in order to be granted manual account recovery?
There has already been some discussion on this issue in #5586:
from @ewdurbin:
This is a bit in the weeds, but... Is it possible we could implement a recovery process that doesn't strictly bypass MFA using recovery codes, but where those recovery codes... or even a single code... could be used as a "vouch" when requesting account recovery from admins. That would at least help expedite the process of admin assisted recovery.
from @rsyring:
Another option, for account recovery: make it possible but with a long delay:
- wait 30 (or 60, 90 days) before you grant account recovery
- ask at sign-up for phone number to text in case of account recovery request
- email/text weekly with links that let you cancel the account recovery request
- Notify maintainers on shared projects that someone on their projects has initiated account recovery. Presumably these people have alternative methods to contact the person who owns the account to get their attention and/or can remove the account from their projects if something seems suspicious. Also, optionally, permit shared maintainers to take ownership of a shared project during account recovery time if they suspect nefarious activity.
- Optionally post notices on projects where a maintainer has requested account recovery during the waiting period and maybe after for a period of time (90 days?).
If recovery request does not get cancelled, assume it's legit and let it go through.
The above process, while being a bit non-standard and potentially embarrassing for someone who loses access to their account, still permits account recovery in a way that mitigates the potential for bad actors to unknowingly get access to a project and upload malicious code (which I assume is the main attack vector to be worried about with account recovery).
nlhkabu
All 7 comments
I just enabled 2FA and was looking for recovery codes, so I'm particularly interested in this process. I have a mild preference for having actual codes vs the manual process, just because N days is a long time to wait. That's particularly important if for some reason you need to hurry up and make a release (e.g. CVE in your library). I mean, hopefully you have several people if your project is that important, but....
waynew
on 7 May 2019
Hi @waynew thanks for your feedback. To be clear, our intention is to also offer recovery codes. However, users can choose not to enable these.
Manual account recovery is therefore limited to circumstances when:
a) a user has lost their recovery codes, or
b) a user never set up recovery codes
nlhkabu
on 8 May 2019
Implementing #5866 will help a bit with this as well.
brainwane
on 16 May 2019
I've lost my authenticator app... and I didn't read about creating the usb method too... Am I in trouble? I really need to access my account.
lasote
on 10 Oct 2019
@lasote can you please open a new ticket for this? An admin can then contact you.
nlhkabu
on 10 Oct 2019
I've lost my authenticator app as well, same issue as @lasote
@nlhkabu where can I open a ticket ? I assume you do not mean an issue.
Thanks
beng-toast
on 7 Nov 2019
Please file an issue at https://github.com/pypa/pypi-support/issues
di
on 7 Nov 2019
Related issues
hartwork
路
4Comments
gautamkrishnar
路
4Comments
zt2
路
4Comments
ruohoruotsi
路
3Comments
gcochard
路
3Comments
Most helpful comment
Hi @waynew thanks for your feedback. To be clear, our intention is to also offer recovery codes. However, users can choose not to enable these.
Manual account recovery is therefore limited to circumstances when:
a) a user has lost their recovery codes, or
b) a user never set up recovery codes