Define manual account recovery process

[nlhkabu]

With the introduction of two factor authentication, we have decided that the PyPI admins will support manual account recovery, in addition to optional recovery codes. I have opened this ticket to discuss and define this policy, and address the questions:

1. In what circumstances will PyPI admins offer manual account recovery?
2. What information will users have to provide in order to be granted manual account recovery?

There has already been some discussion on this issue in #5586:

from @ewdurbin:

This is a bit in the weeds, but... Is it possible we could implement a recovery process that doesn't strictly bypass MFA using recovery codes, but where those recovery codes... or even a single code... could be used as a "vouch" when requesting account recovery from admins. That would at least help expedite the process of admin assisted recovery.

from @rsyring:

Another option, for account recovery: make it possible but with a long delay:

• wait 30 (or 60, 90 days) before you grant account recovery
• ask at sign-up for phone number to text in case of account recovery request
• email/text weekly with links that let you cancel the account recovery request
• Notify maintainers on shared projects that someone on their projects has initiated account recovery. Presumably these people have alternative methods to contact the person who owns the account to get their attention and/or can remove the account from their projects if something seems suspicious. Also, optionally, permit shared maintainers to take ownership of a shared project during account recovery time if they suspect nefarious activity.
• Optionally post notices on projects where a maintainer has requested account recovery during the waiting period and maybe after for a period of time (90 days?).

If recovery request does not get cancelled, assume it's legit and let it go through.

The above process, while being a bit non-standard and potentially embarrassing for someone who loses access to their account, still permits account recovery in a way that mitigates the potential for bad actors to unknowingly get access to a project and upload malicious code (which I assume is the main attack vector to be worried about with account recovery).

[waynew]

I just enabled 2FA and was looking for recovery codes, so I'm particularly interested in this process. I have a mild preference for having actual codes vs the manual process, just because N days is a long time to wait. That's particularly important if for some reason you need to hurry up and make a release (e.g. CVE in your library). I mean, hopefully you have several people if your project is that important, but....

[nlhkabu]

Hi @waynew thanks for your feedback. To be clear, our intention is to also offer recovery codes. However, users can choose not to enable these.

Manual account recovery is therefore limited to circumstances when:

a) a user has lost their recovery codes, or
b) a user never set up recovery codes

[brainwane]

Implementing #5866 will help a bit with this as well.

[lasote]

I've lost my authenticator app... and I didn't read about creating the usb method too... Am I in trouble? I really need to access my account.

[nlhkabu]

@lasote can you please open a new ticket for this? An admin can then contact you.

[beng-toast]

I've lost my authenticator app as well, same issue as @lasote
@nlhkabu where can I open a ticket ? I assume you do not mean an issue.
Thanks

[di]

Please file an issue at https://github.com/pypa/pypi-support/issues

[brainwane]

Possibly now superseded by pypi/support#796 ?

[di]

Closing this in favor of #11787.