PyPI Repository Enforces Mandatory 2FA Policy for Critical Python Projects

Python Package Index (PyPI), the official third-party open-source Python projects repository, is taking steps to enforce a mandatory 2FA policy for “critical” project maintainers.

The new security policy affects both ‘Maintainers’ and ‘Owners’ of projects flagged ‘Critical’ by the repository.

“We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," PyPI announced in a tweet last week.

Additionally, the repository’s maintainers offer free hardware security keys to critical project developers. To be eligible, project owners or maintainers must have not previously enabled 2FA on PyPI and they must live in an area where shipping is possible.

While most repository members welcomed the mandatory 2FA decision, some opposed it. The developer of one popular Python project chose to delete and republish their code on PyPI to annul the “critical” tag assigned by the platform.

PyPI maintainers said the top 1% most downloaded projects on the platform are all deemed critical. The algorithm checks daily for projects that make the cut and labels them as necessary, constantly expanding the list.

On the other hand, projects flagged as “Critical” are expected to keep the label for good, even if they are eventually excluded from the top 1% download list.

Currently, the repository hosts north of 350,000 projects, which means that over 3,500 projects will be designated “Critical” after the 2FA decision.

PyPI’s decision to mandate 2FA likely stems from recent security incidents regarding legitimate projects getting hijacked on open-source platforms such as PyPI and npm.

“Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users,” PyPI said.