Since you can never be _everywhere_ you want to be at #FOSDEM, sometimes you have to watch back some of the dev room talks you missed.
@aAdam Harvey from the 
@rustfoundation gave a great talk: A phishy case study - attacks on crates.io and others (namely 
@pypiPython Package Index and npmjs.com )
https://fosdem.org/2026/schedule/event/GFA3RJ-a_phishy_case_study/
Go watch it.
The one question asked at the end was "How did the attackers bypass 2FA?"
The answer is a little deeper in our blog post: https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/
The TL,DR is that the attack used a web proxy in front of PyPI, and users using TOTP method saw a site that looked valid, entered their username, password, which was captured by the proxy and forwarded along to PyPI, and then presented with a web form for their TOTP, which they entered, and that was also sent along to the attacker.
If they were using Webauthn, nothing happened, since the browser/device wouldn't prompt the user since the domains don't match - strengthening the case for non-TOTP.
Since then, we've also added an extra layer of confirmation for TOTP logins from a new location, which while can be annoying, may also inspire folks to use Webauthn more.
Read more about that here: https://blog.pypi.org/posts/2025-11-14-login-verification/
If you have a fediverse account, you can quote this note from your own instance. Search https://hachyderm.io/users/miketheman/statuses/116008792409955286 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
RE: https://hachyderm.io/@miketheman/116008792409955286
When I say TOTP is phishable and webauthn (“passkeys”) isn’t, this is a real-world example of what I am talking about
