PyPI enforces 2FA authentication to prevent maintainers’ account takeover

Pierluigi Paganini May 30, 2023

PyPI is going to enforce two-factor authentication (2FA) for all project maintainers by the end of this year over security concerns.

Due to security concerns, PyPI will be mandating the use of two-factor authentication (2FA) for all project maintainers by the end of this year.

Over the past few years, there has been a rise in supply chain attacks targeting the Python software repository. Threat actors have been updating various packages with versions containing malware.

The adoption of 2FA aims at protecting maintainers’ account takeover as explained in the official announcement.

“Today, as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023.” reads the announcement. “Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.”

The maintainers at the repository urge developers to enable 2FA for their account as soon as possible, either with a security device (preferred) or an authentication app and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.

The maintainers highlight the risks of supply chain attacks for both popular projects and also for compromised projects in someone’s dependency.

“The attacker doesn’t care if they get you from a widely used or a niche project, just that they got you.” continues the announcement.

The measure announced by the Python repository will enhance security for both enterprises and individual developers.

“A compromise in the supply chain can be used to attack individual developers the same as it able to attack corporate and business users. In fact, we believe that individual developers, are in a more vulnerable position than corporate and business users.” concludes the announcement. “While businesses are generally able to hire staff and devote resources to vetting their dependencies, individual developers generally are not, and must expend their own limited free time to do so”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attacks)



you might also like

leave a comment