Developers of the Python package repository PyPI (Python Package Index) have announced the decision to transition all user accounts associated with at least one project or involved in maintaining organization-managed packages to mandatory two-factor authentication. The transition is planned to be completed by the end of 2023. Leading up to the deadline, there will be a phased restriction of available functionality for developers who have not enabled two-factor authentication. Additionally, certain user categories will be required to enable two-factor authentication in advance.
The implementation of two-factor authentication aims to enhance the security of the development process and protect projects from malicious changes resulting from leaked credentials, reuse of the same password on compromised websites, local system breaches of developers, or social engineering tactics. Unauthorized access by malicious actors through compromised accounts is one of the most dangerous threats, as successful attacks could lead to the injection of malicious changes into other products and libraries that rely on the compromised package as a dependency.
The preferred method of two-factor authentication is based on compatible hardware tokens following the FIDO U2F specification and the WebAuthn protocol, which provides a higher level of security compared to one-time password generation. In addition to tokens, authentication applications supporting the TOTP protocol, such as Authy, Google Authenticator, and FreeOTP, can also be used. When uploading packages, developers are additionally recommended to transition to using the 'Trusted Publishers' authentication method based on the OpenID Connect (OIDC) standard or utilize API tokens.
Comments (1)