Click To Win Upto 250$

PyPi Mandates 2FA For Critical Python Projects – Developer Criticized

PyPI, or the Python Package Index, is giving away 4,000 Google Titan security keys in its move to two-factor authentication (2FA) for critical projects built using the Python programming language.

The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed “critical.”

PyPi Mandates 2FA For Critical Python Projects - Developer Criticized

“We have begun to roll out a 2FA requirement: Soon, maintainers of crucial projects must be 2FA enabled in order to publish, update or modify them,” Python Package Index said last week in a tweet.

It added that the 2FA requirement covers any maintainer of a critical program (both ‘Maintainers’ and ‘Owners’).

Developers of critical projects that haven’t turned ON 2FA previously on PyPi will be offered hardware security keys free from the Google Open Source Security Team.

Developers Criticized PyPi And Pushed Back

PyPI is managed by the Python Software Foundation and houses over 350,000 projects. Over 3,500 of these projects are tagged with “critical” designations.

The repository maintainers state that any project that has accounted for more than 1% of downloads in the past 6 months is considered critical. This determination will be recalculated daily.

However, once a project is classified as critical, it’s expected to keep that designation indefinitely even if it falls off the top 1% of downloads.

This move is seen as an effort to improve supply chain security for the Python ecosystem. It comes after a series of security incidents that have targeted open-source repositories over the past months.

Bad actors stole NPM developer accounts last year to insert malicious code in popular packages “ua–parser-js”, “coa”, and “rc.” This prompted GitHub to tighten security at the NPM registry by requiring admins and maintainers to have 2FA starting in the first quarter of 2022.

PyPi stated that “Ensuring that most popular projects have these protections from account takeover is one of our larger efforts to improve security in the Python ecosystem for all PyPI user,”

Related Popular Stories: