The Python Package Index (PyPI) has recently declared that it will make two-factor authentication (2FA) compulsory for every account managing a project on their platform. Users are expected to enable 2FA by the end of 2023, as part of PyPI's ongoing efforts to strengthen security across the repository.
PyPI serves as a crucial software repository for packages developed in the Python programming language. With over 200,000 packages available on the platform, developers can readily find existing solutions to satisfy the needs of their projects, saving valuable time and resources.
According to the PyPI team, the decision to mandate 2FA for all accounts is a continuation of their long-term commitment to enhancing platform security. Previous steps in this direction include blocking compromised credentials and supporting API tokens. Implementing 2FA as a mandatory security measure is expected to further protect publishers and users.
One of the primary advantages of implementing 2FA is the significant reduction in the risk of supply chain attacks. Such incidents occur when a threat actor takes control of a software maintainer's account and introduces a backdoor or malware into a package utilized as a dependency in multiple software projects. These attacks can potentially impact millions of users, depending on the popularity of the compromised package. While developers are responsible for examining the components of their projects, PyPI's new security measure aims to alleviate the occurrence of such issues.
In recent months, the Python project repository has experienced an increase in malware uploads, notorious package impersonation attempts, and the resubmission of harmful code using hijacked accounts. The severity of these issues compelled PyPI to pause registrations of new users and projects temporarily last week while a suitable defense solution was developed and applied.
With the introduction of mandatory 2FA, PyPI intends to tackle account takeover attacks and restrict the number of new accounts that suspended users can create for re-uploading malicious packages. In the upcoming months, affected users should prepare and activate the additional security layer, using either a hardware key or an authentication app.
This trend of strengthening security measures across various platforms echoes the broader shift towards no-code and low-code solutions, such as AppMaster.io, which are designed to provide a safer and more efficient approach to software development. Enhancing security practices, particularly around managing software packages, benefits users and contributes to maintaining the integrity of open-source projects.