RubyGems Mandates MFA for Top-100 Package Maintainers

Written by

The official package manager for the Ruby programming language has announced it has started mandating multi-factor authentication (MFA) on at least the top-100 RubyGems packages.

The firm made the announcement on Monday, saying it would begin enforcing MFA on owners of gems with over 180 million total downloads.

“Users in this category who do not have MFA enabled on the UI and API or UI and gem sign-in level will not be able to edit their profile on the web, perform privileged actions [...] or sign in on the command line until they configure MFA,” explained RubyGems in a blog post.

Additionally, the package manager said all maintainers of gems that surpass 165 million total downloads will continue to receive recommendation reminders regarding MFA. Once the gem reaches 180 million total downloads, MFA will be required.

“This policy would bring us in line with the policies made by other package ecosystems,” RubyGems said, referring to NPM and PyPI. For context, NPM implemented mandatory MFA in February, while PyPI followed suit last month.

As for RubyGems, the package manager first outlined the idea of making popular Ruby packages more secure via MFA in June, particularly to defend against account takeovers, which recently witnessed a substantial surge.

Two months later, RubyGems is now making MFA mandatory for popular packages, but the company said it intends to extend the feature to more packages in the future.

“We have plans to increase MFA adoption on RubyGems. If you have ideas on how future rollouts should be approached, join this discussion in our RFC repository,” RubyGems wrote.

The hosting service also confirmed it is working on adding support for WebAuthn, a FIDO2 Project component and web standard designed to standardize authentication for web-based applications.

“Maintainers would be able to use hardware tokens, biometric keys and other WebAuthn-supported devices as their multi-factor device of choice,” RubyGems added.

For more information about MFA and its applications, you can check out this explainer by Nic Sarginson, the principal solutions engineer at Yubico.

What’s hot on Infosecurity Magazine?