PyPI Repository Enforces 2FA for Critical Python Projects

Written by

Python Package Index (PyPI), the official third-party open-source repository for Python projects, said it will enforce a mandatory two-factor authentication (2FA) policy for projects categorized as “critical,” from both ‘Maintainers’ and ‘Owners’.

The team made the announcement on Twitter last Friday, saying that “soon, maintainers of critical projects must have 2FA enabled to publish, update or modify them.”

Further, PyPI offered free hardware security keys from the Google Open Source Security Team to developers of critical projects who had not previously turned on 2FA on PyP.

“To ensure that these maintainers can use strong 2FA methods, we're also distributing 4000 hardware security keys,” read the Twitter post.

The repository account also specified the eligibility criteria for the new policy: “any project in the top 1% of downloads over the prior six months is designated as critical (as well as PyPI's own dependencies).”

At the same time, the team clarified that once a project has been classified as “critical” it should remain in that category indefinitely, even if it drops out of the top 1% downloads list.

Moreover, the developers enabled a feature that will allow any project to opt-in to a 2FA requirement for its maintainers. According to PyPI, the feature can be enabled in the settings for each individual project and enabled/disabled for non-critical projects at any time.

“Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users,” wrote the team.

The developers set up a dedicated webpage to enable users to track the development of the new feature. 

The move is reportedly intended to enhance the supply chain security of the Python ecosystem, and it comes in the wake of several security incidents targeting open-source repositories over the past few months.

What’s hot on Infosecurity Magazine?