The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed “critical.”
“We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them,” Python Package Index (PyPI) said in a tweet last week.
“Any maintainer of a critical project (both ‘Maintainers’ and ‘Owners’) are included in the 2FA requirement,” it added.
Additionally, the developers of critical projects who have not previously turned on 2FA on PyPi are being offered free hardware security keys from the Google Open Source Security Team.
PyPI, which is run by the Python Software Foundation, houses more than 350,000 projects, of which over 3,500 projects are said to be tagged with a “critical” designation.
According to the repository maintainers, any project accounting for the top 1% of downloads over the prior 6 months is designated as critical, with the determination recalculated on a daily basis.
But once a project has been classified as critical it’s expected to retain that designation indefinitely, even if it drops out of the top 1% downloads list.
The move, which is seen as an attempt to improve the supply chain security of the Python ecosystem, comes in the wake of a number of security incidents targeting open-source repositories in recent months.
Last year, NPM developer accounts were hijacked by bad actors to insert malicious code into popular packages “ua-parser-js,” “coa,” and “rc,” prompting GitHub to tighten the security of the NPM registry by requiring 2FA for maintainers and admins starting in the first quarter of 2022.
“Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users,” PyPi said.