The Python Package Index (PyPI) has announced that it will require every account that manages a project on the platform to have two-factor authentication (2FA) turned on by the end of the year.
PyPI is a software repository for packages created in the Python programming language. The index hosts 200,000 packages, allowing developers to find existing packages that satisfy various project requirements, saving them time and effort.
The PyPI team says the decision to make 2FA mandatory on all accounts is part of their long-term commitment to enhancing security on the platform, complementing previous measures taken in that direction, like blocking compromised credentials and supporting API tokens.
One benefit of 2FA protection is the reduced risk of supply chain attacks. These types of attacks occur when a malicious actor gains control of the account of a software maintainer and adds a backdoor or malware to a package used as a dependency in various software projects.
Depending on how popular the package is, such attacks can impact millions of users. While developers are responsible for thoroughly inspecting their project’s building blocks, PyPI’s measure should make it easier to minimize this type of problem.
Additionally, the Python project repository has suffered from rampant malware uploads, famous package impersonation, and the re-submission of malicious code using hijacked accounts in the past months.
The problem reached such a magnitude that PyPI last week had to temporarily pause registrations of new users and projects until an effective defense solution could be developed and implemented.
2FA protection will help mitigate the problem of account takeover attacks and should also set a limit on how many new accounts a suspended user can create to re-upload malicious packages.
Road to 2FA
The requirement to set up 2FA on all project and organization maintainer accounts has the deadline to the end of 2023.
In the following months, impacted users are recommended to prepare and enable the additional security measure using either a hardware key or an authentication app.
“The most important things you can do to prepare are to enable 2FA for your account as soon as possible, either with a security device (preferred) or an authentication app, and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.” – PyPI
The PyPI team says the preparatory work it has done in previous months, like introducing ‘Trusted Publishing,’ combined with parallel initiatives from platforms like GitHub that have helped developers familiarize themselves with 2FA requirements, make this year an excellent moment to introduce the measure.