Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define manual account recovery process #5758

nlhkabu opened this issue Apr 28, 2019 · 3 comments


Copy link

commented Apr 28, 2019

With the introduction of two factor authentication, we have decided that the PyPI admins will support manual account recovery, in addition to optional recovery codes. I have opened this ticket to discuss and define this policy, and address the questions:

  1. In what circumstances will PyPI admins offer manual account recovery?
  2. What information will users have to provide in order to be granted manual account recovery?

There has already been some discussion on this issue in #5586:

from @ewdurbin:

This is a bit in the weeds, but... Is it possible we could implement a recovery process that doesn't strictly bypass MFA using recovery codes, but where those recovery codes... or even a single code... could be used as a "vouch" when requesting account recovery from admins. That would at least help expedite the process of admin assisted recovery.

from @rsyring:

Another option, for account recovery: make it possible but with a long delay:

  • wait 30 (or 60, 90 days) before you grant account recovery
  • ask at sign-up for phone number to text in case of account recovery request
  • email/text weekly with links that let you cancel the account recovery request
  • Notify maintainers on shared projects that someone on their projects has initiated account recovery. Presumably these people have alternative methods to contact the person who owns the account to get their attention and/or can remove the account from their projects if something seems suspicious. Also, optionally, permit shared maintainers to take ownership of a shared project during account recovery time if they suspect nefarious activity.
  • Optionally post notices on projects where a maintainer has requested account recovery during the waiting period and maybe after for a period of time (90 days?).

If recovery request does not get cancelled, assume it's legit and let it go through.

The above process, while being a bit non-standard and potentially embarrassing for someone who loses access to their account, still permits account recovery in a way that mitigates the potential for bad actors to unknowingly get access to a project and upload malicious code (which I assume is the main attack vector to be worried about with account recovery).


This comment has been minimized.

Copy link

commented May 7, 2019

I just enabled 2FA and was looking for recovery codes, so I'm particularly interested in this process. I have a mild preference for having actual codes vs the manual process, just because N days is a long time to wait. That's particularly important if for some reason you need to hurry up and make a release (e.g. CVE in your library). I mean, hopefully you have several people if your project is that important, but....


This comment has been minimized.

Copy link
Member Author

commented May 8, 2019

Hi @waynew thanks for your feedback. To be clear, our intention is to also offer manual recovery codes. However, users can choose not to enable these.

Manual account recovery is therefore limited to circumstances when:

a) a user has lost their recovery codes, or
b) a user never set up recovery codes


This comment has been minimized.

Copy link

commented May 16, 2019

Implementing #5866 will help a bit with this as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.