PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects

The maintainers of the official third-party software repository
for Python have begun imposing a new two-factor authentication
(2FA) condition for projects deemed “critical.”

“We’ve begun rolling out a 2FA requirement: soon, maintainers of
critical projects must have 2FA enabled to publish, update, or
modify them,” Python Package Index (PyPI) said^[1]
in a tweet last week.

“Any maintainer of a critical project (both ‘Maintainers’ and
‘Owners’) are included in the 2FA requirement,” it added^[2].

Additionally, the developers of critical projects who have not
previously turned on 2FA on PyPi are being offered free hardware
security keys from the Google Open Source Security Team.

PyPI, which is run by the Python Software Foundation, houses
more than 350,000 projects, of which over 3,500 projects^[3]
are said to be tagged with a “critical” designation.

According to the repository maintainers, any project accounting
for the top 1% of downloads over the prior 6 months is designated
as critical, with the determination recalculated on a daily
basis.

But once a project has been classified as critical it’s expected
to retain that designation indefinitely, even if it drops out of
the top 1% downloads list.

The move, which is seen as an attempt to improve the supply chain security^[4]
of the Python ecosystem, comes in the wake of a number of security
incidents targeting open-source repositories in recent months.

Last year, NPM developer accounts were hijacked^[5]
by bad actors to insert malicious code into popular packages
“ua-parser-js,” “coa,” and “rc,” prompting GitHub to tighten the
security of the NPM registry by requiring 2FA for maintainers and
admins starting in the first quarter of 2022.

“Ensuring that the most widely used projects have these
protections against account takeover is one step towards our wider
efforts to improve the general security of the Python ecosystem for
all PyPI users,” PyPi said.