PyPI brings in mandatory 2FA for all software publishers following recent security issues

PyPI has announced that all users who maintain a project or organization on the platform must now set up two-factor authentication in an effort to increase security.

This follows previous measures set out by PyPI, including optional 2FA, blocking compromised passwords, support for API tokens, and mandatory 2FA for certain projects.

This comes just days after some new registrations were suspended on the platform following an excess of malicious code, impersonation, and other security concerns.

2FA for PyPI

Many users are likely to have a six-month window to apply the additional authentication measure to their account, with plans drawn up to make 2FA mandatory by the end of this year. The Python repository’s official blog post explains more:

“Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.”

The post continues to detail the preferred method of authentication – physical devices – though authenticator apps and other services remain supported. Uploads should be done via trusted publishers or API tokens to ensure optimal security, too.

When posing itself the question of why not all users should be forced to use 2FA, PyPI says: “an account without access to any project cannot be used to attack anyone 2 so it is a very low value target.”

Among the numerous reasons given for employing mandatory 2FA, PyPI calls out GitHub for taking similar steps, as well as funding that enabled the hiring of a PyPI Safety and Security Engineer.

As two- and multi-factor authentication become increasingly important for securing accounts, many have slated SMS-based authentication for its inferior security and reliance on cellular service. Then, there is the gradual rollout of passwordless passkeys, which is slowly building traction after a delayed start.

Related Post