undefined | Better HN

0 pointspaganel3y ago0 comments

Are the 2FA dongles provided by Google available to maintainers that reside in countries the US (and the West generally) doesn't generally like? I'm thinking, explicitly, at China, Russia and Iran. Most probably no, even though I'd love to be proven wrong on this. As such, this is already a political thing.

0 comments

3 comments · 1 top-level

giaour3y ago· 2 in thread

PyPI supports TOTP 2FA: https://pypi.org/help/#totp

TOTP is defined in a freely available RFC (https://www.rfc-editor.org/rfc/rfc6238) and is implemented by a wide variety of applications and libraries, both proprietary and open source.

paganelOP3y ago

Yes, I know, I've implemented it on the server side once, but I was curious why did Google (the company) feel the need to get involved with those thousands of physical dongles as long as almost any Android or iPhone can handle this, hence my question. Because I suppose there aren't thousands of contributors who don't have an iPhone nor an Android phone. Or maybe it's just a marketing ploy? I still don't get it.

giaour3y ago

Dongles are generally understood to be more secure than TOTP because they have to be physically stolen (unlike TOTP seeds, which are just information). Google is giving away thousands of physical keys maybe to drum up goodwill among the python community, maybe because it's a trivial expense for them and they have an institutional interest is seeing PyPI succeed. I dunno, but it doesn't really seem all that sinister.

Just FYI, you don't need a smartphone to use TOTP. You can download 'pyotp' from PyPI and use it with any python interpreter. Anybody publishing packages to PyPI would have access to that.

j / k navigate · click thread line to collapse