[jamesboehmer]

You know which modules I'm not using for my critical projects? Ones whose maintainers refuse to enable 2fa. We already know how supply chain security problems have plagued npm and pypi. Dependabot should alert you when your dependency comes from a package maintainer that doesn't use 2fa.

[Wowfunhappy]

That's entirely reasonable. However, it is also reasonable for the author, who is working for free, to ignore your concerns.

[eternityforest]

I think it's completely insane to not use 2FA when available... but I also support the freedom to not maintain a piece of software unpaid. One person projects are pretty miserable.

[adastra22]

I have ADHD. I lose things. I once had to restore access to a 2FA protected account I’d lost the token to. It took weeks of back-and-forth and involved sending personal information (selfies with identity cards) the service had no business knowing.

Never again. Especially for an unpaid personal project for which I owe nobody anything. If PyPI sent me this email, I’d immediately nuke all versions of all packages I maintain, replace with a blank/no code “upgrade” version that contains nothing but a readme explaining what happened, and close/deactivate my account.

[eternityforest]

I lose things incredibly often too(Like, losing my wallet twice and keys once, all within a 12 month period, going inside and leaving keys in the front door, needing GPS to get home 3 blocks away, etc).

If 2FA was token based as people seem to want it to be, I'd have an issue, but SMS based is enough to keep out the majority of opportunistic attackers while being recoverable. Plus, there's always printable recovery codes with Google at least.

[Wowfunhappy]

> If 2FA was token based as people seem to want it to be, I'd have an issue, but SMS based is enough to keep out the majority of opportunistic attackers while being recoverable.

But so is using a long, unique, random password stored in a password manager! In fact, a strong password is more secure because it's not vulnerable to SIM swapping.

Admittedly, you could use both, but many/most services will let you use SMS for password recovery once it's set up, so it ends up becoming a single factor!

I'm also really nervous about loosing access to my phone number some day due to some screwup or other.

> Plus, there's always printable recovery codes with Google at least.

But I loose things. Especially slips of paper which I usually don't need to access. There is absolutely no way in hell I will be able to find a printout of backup codes when I actually need them.