Python Package Index, commonly known as PyPI, recently revealed plans to require two-factor authentication (2FA) for all its project maintainers, with full enforcement anticipated by the end of the year.
This major security upgrade follows a series of supply chain attacks targeting the popular third-party Python software repository in recent years.
The sweeping implementation of 2FA is set to significantly bolster PyPI's security protocols, making it more difficult for cybercriminals to cause damage.
According to PyPI's announcement, "every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023. Furthermore, the repository stated that "between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement."
Supply chain attacks have become increasingly popular among cybercriminals who target legitimate software packages to spread malicious software. These attacks pose a significant threat as they can compromise numerous systems through a single vulnerable point.
Since PyPI hosts more than 400,000 projects (436,502 at the time of writing) with over 4 billion downloads per week (4.7 billion last week), so the potential damage from a successful supply chain attack is considerable.
PyPI's decision to enforce 2FA is viewed as a critical step toward bolstering the safety of both the Python community and its overarching ecosystem. 2FA is a security method that requires users to provide two separate forms of identification to access their accounts.
This method significantly reduces the incidence of account breaches; even if a malefactor steals a victim’s credentials, an additional layer of identification, often in the form of a personal device, is required.
The move will likely deter many attackers, who will now find it much harder to break into project maintainer accounts.
The PyPI team has provided guidance on its blog, encouraging project maintainers to enable 2FA as soon as it becomes available, "either with a security device (preferred) or an authentication app and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI."
In an additional measure to safeguard its users and repository, PyPI recently halted new user registrations and package uploads temporarily to tackle an ongoing cyberattack. By suspending these features, PyPI mitigated the attack, minimizing potential damage and demonstrating its commitment to the safety of the Python community and the broader ecosystem.