- The Python Package Index, aka PyPI, is a third-party software repository that helps Python developers to find and install software developed with the Python programming language.
- According to PyPI, any project in the top 1% of downloads over the prior six months is considered critical. PyPI is now enforcing 2FA requirements for projects considered critical.
- The Google Open Source security team is providing free hardware security keys to developers of crucial projects who have not yet enabled 2FA on PyPI.
The Python Package Index (PyPI) is a repository of third-party open-source projects for the Python programming language. PyPI helps users find and install software developed by the Python community. The Python Package Index revealed a new plan on its webpage, for making two-factor authentication requirements mandatory for maintainers of “critical” projects.
2FA will be mandatory
PyPI has started enforcing a new two-factor authentication (2FA) requirement for projects considered critical. According to PyPI, any project in the top 1% of downloads over the prior 6 months is considered critical. And any maintainer of a critical project (both maintainers and owners) is required to implement the 2FA authorization. There are more than 350K projects on PyPI, and over 3,500 projects are accounted for as a critical designation. This determination is recalculated daily by PyPI.
We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them.
To ensure that these maintainers can use strong 2FA methods, we're also distributing 4000 hardware security keys!https://t.co/gcCNWSqBcU
— Python Package Index (@pypi) July 8, 2022
The developers of critical projects who have not previously turned on 2FA on PyPI are being offered free hardware security keys from the Google Open Source security team. Furthermore, to ensure the maintainers use 2FA, PyPI will distribute a total of 4000 hardware security keys. The users who are eligible to receive security keys must be maintainers of critical projects who have not previously enabled 2FA on PyPI and can ship their keys to an eligible region, which are:
- Austria
- Belgium
- Canada
- France
- Germany
- Italy
- Japan
- Spain
- Switzerland
- United Kingdom
- United States
If a maintainer of a critical project is not in an eligible country and needs to enable 2FA, there are two options: Independently purchase a FIDO U2F security key from a security key vendor that is available in the region, such as Yubikey or Thetis. Alternatively, it will enable 2FA via a TOTP application instead.
The 2FA enforcement comes after several security breaches targeting the open-source repositories in recent months. Last year, popular npm developer accounts were hijacked to insert malicious code into highly used packages “ua-parser-js“, “coa“, and “rc“. After the incident, npm’s parent company GitHub, has taken steps to strengthen the login security by entailing 2FA for maintainers and admins.