[naniwaduni]

While there are scenarios where 2FA can maintain security where a password is compromised, it's absolutely true that for a large swath of practical threat models, almost the entire benefit of 2FA comes in the form of assigning the shared secret instead of letting the user pick a weak and/or widely-reused password and the "having a second factor" bit doesn't really factor into the picture in any meaningful way.

[staticassertion]

These weaknesses are implementation specific. FIDO2/U2F is unphishable, requires proof of presence, and is a significant security win over a strong password.

[Wowfunhappy]

Is PyPI requiring maintainers to use a hardware key? If not, I don’t understand how this policy is helpful.

Anyone who hadn’t already turned on 2FA is going to use the most frictionless so-called second factor they can.

[staticassertion]

They've been offering people hardware keys for free.

https://pypi.org/security-key-giveaway/

[Wowfunhappy]

That's a great initiative, but I expect the maintainers who are interested to be the ones who've already turned on (some lesser form of) 2FA voluntarily.

Anyone who is turning on 2FA because of this requirement is going to select the most frictionless method of complying with the mandate. Which will not be a hardware key.

[staticassertion]

OK? So more people use TOTP and there's a marginal security win. And maybe a few use a token, and there's a significant win.

[Wowfunhappy]

TOTP is a minuscule security win in exchange for a significant amount of inconvenience, versus using a good password manager. If you want to prevent password reuse, add an option to use a pre-generated password as an alternative to 2FA.

I think the statement "these weaknesses are implementation specific", while true, is irrelevant when 99% of people affected by this mandate (and 99.9% of 2FA users in general) are going to use an implementation with these weaknesses. And, I think it really sucks that PyPI is loosing maintainers due to a policy that won't increase security in a meaningful way.

[naniwaduni]

I'm not calling it a weakness. I'm saying that the alleged advantages of the 2F in 2FA don't normally matter to people who just want to their shit to work.