August 13, 2022
Python Package Index (PyPI), mandates 2FA for critical projects

The Python Package Index (PyPI), the official repository of third-party open-source Python projects announced plans to mandate two-factor authentication for maintainers of “critical” projects.

Observing the recent hijacking of several python projects, the Python Package Index (PyPI) has taken this step for the accounts of critical projects.

Although many community members praised the move, the developer of a popular Python project decided to delete his code from PyPI and republish it to invalidate the “critical” status assigned to his project. 

Certain projects with significant downloads in the past six months and others that are tagged as critical will soon be forced to secure, says PyPI. While it’s a good move, few developers are against it.

PyPI rolls out 2FA as an Extra Security For Critical Python Projects

Last year, we’ve seen popular npm packages like ‘ua-parser-js,’ ‘coa‘ and ‘rc‘ were modified with malware to compromise the dependent software, triggering the community to push for more security measures. Eventually, GitHub, the owner of npm mandated 2FA for accounts that maintain sensitive npm packages.

Admins of the PyPI registry announced they were in the process of introducing two-factor authentication (2FA) requirement for projects deemed “critical.”

Any PyPI project accounting for the top 1% of downloads over the last six months as well as PyPI’s dependencies have been designated critical.

Identifying over 3,818 PyPI projects and 8,218 PyPI user accounts as critical, the team said this mandate will be rolling out in the coming months.

“In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” announced the admins in a blog post.

The maintainers of critical projects are being offered free hardware security keys, with support from the Google Open Source Security Team, a sponsor of the Python Software Foundation (PSF).  

Despite this, over 28,000 PyPI user accounts (including those not associated with a “critical” project) have voluntarily enabled 2FA.

But some developers are pushing back against the move of the Python Package Index (PyPI)that has mandates 2FA for critical projects 

Leave a Reply

Your email address will not be published.