Skip to content

Email confirmation for TOTP-based logins #18425

New issue
New issue
Open
#18689
Open
Email confirmation for TOTP-based logins#18425
#18689
Labels
2FAemailRelated to emailsfeature requestsecuritySecurity-related issues and pull requests
@di

Description

@di
di
opened on Jul 28, 2025

What's the problem this feature will solve?

A successful phishing attack can lead to account takeover if an attacker obtains both a user's password and a valid TOTP code.

Describe the solution you'd like

To mitigate this risk, we should require confirmation via the primary email address for users who rely on TOTP for two-factor authentication. The proposed solution involves the following changes to the login flow:

  1. For any account using TOTP to log in, after the user enters their credentials and a valid TOTP code, they will not be immediately logged in.
  2. Instead, an email with a confirmation link will be sent to their primary email address.
  3. The user must click the confirmation link in the email to complete the login process. Login should be prevented if the user does not click the link.
  4. For each successful login, PyPI will aggregate user details (IP address and possibly device type) for security monitoring purposes.
  5. Users who authenticate with WebAuthn and passkeys will not be subject to this email confirmation step, as these methods are already considered more secure against phishing.

Additional context

The following files and functions in the warehouse codebase will likely need to be modified to implement this feature:

  • Login and TOTP Handling:
    • warehouse/accounts/views.py: The login view will need to be modified to trigger the email confirmation flow after a successful TOTP verification.
    • warehouse/accounts/forms.py: The LoginForm may need to be adjusted to handle the new confirmation step.
    • warehouse/two_factor/views.py: The views for handling TOTP will need to be updated to send the confirmation email instead of immediately logging the user in.
    • warehouse/two_factor/forms.py: The TOTPForm will need to be adjusted to accommodate the new workflow.
  • Email Confirmation:
    • A new email template will need to be created for the login confirmation email.
    • A new view will be required to handle the confirmation link from the email.
    • warehouse/email.py: The email sending logic will need to be updated to handle the new confirmation email.
  • User Details Aggregation:
    • The login view in warehouse/accounts/views.py should be updated to log the user's IP address and user agent string upon successful login.
  • WebAuthn and Passkeys:
    • The views and forms related to WebAuthn and passkey authentication will need to be checked to ensure that the email confirmation flow is not triggered for these login methods.
      • warehouse/webauthn/views.py
      • warehouse/webauthn/forms.py

Metadata

Metadata

Assignees

No one assigned

    Labels

    2FAemailRelated to emailsfeature requestsecuritySecurity-related issues and pull requests

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions