I hate these 2FA mandates. I don't use PyPI, but I do use GitHub, which has also announced a 2FA mandate.
I use my GitHub account to make bug reports, small pull requests, and silly personal projects. It is not that important. I want to sacrifice security for convenience on it, and that should be my choice.
I also do not agree with the argument this secures the supply chain because:
1. It ignores supply-chain attacks from people who already have repository access.
2. Most big companies (ie. Google) are probably already using 2FA.
3. And if people are automatically pulling code from random people/groups without checking it... maybe that's what actually needs to be banned.
Unfortunately even if you did not pull code from random groups, and instead curated your GitHub dependencies, you can still be caught by surprise when one person has a re-used password and no 2FA because “ugh it’s so inconvenient”.
Nothing will fully secure the supply chain, but this certainly reduces risk and given the impact software has in today’s world it’s important.
I use my GitHub account to make bug reports, small pull requests, and silly personal projects. It is not that important. I want to sacrifice security for convenience on it, and that should be my choice.
I also do not agree with the argument this secures the supply chain because:
1. It ignores supply-chain attacks from people who already have repository access.
2. Most big companies (ie. Google) are probably already using 2FA.
3. And if people are automatically pulling code from random people/groups without checking it... maybe that's what actually needs to be banned.