Official third-party software repository maintainers for Python have begun imposing a new two-factor authentication (2FA) requirement for projects deemed “critical”.
“We have started rolling out a 2FA requirement: soon, managers of critical projects will need to enable 2FA to publish, update, or modify them”, Python Package Index (PyPI) said in a tweet last week.
“Any maintainer of a critical project (both ‘maintainers’ and ‘owners’) is included in the 2FA requirement”, it added.
Additionally, developers of critical projects who have not yet enabled 2FA on PyPi are offered free hardware security keys by the Google Open Source Security Team.
PyPI, which is maintained by the Python Software Foundation, hosts over 350,000 projects, including over 3,500 projects are said to be labeled with a “critical” designation.
According to the maintainers of the repository, any project with the top 1% of downloads over the previous 6 months is designated as critical, with the determination recalculated daily.
But once a project has been classified as critical, it is expected to retain that designation indefinitely, even if it falls out of the top 1% list of downloads.
The move, which is seen as an attempt to improve the supply chain security of the Python ecosystem, follows a number of security incidents targeting open source repositories in recent months.
Last year, NPM developer accounts were hacked by bad actors to insert malicious code into popular ‘ua-parser-js’, ‘coa’ and ‘rc’ packages, prompting GitHub to tighten registry security NPM by requiring 2FA for maintainers. and directors from the first quarter of 2022.
“Ensuring that the most widely used projects have these account takeover protections is one step towards our broader efforts to improve the general security of the Python ecosystem for all PyPI users,” said PyPi.