The Python Package Index (PyPI) has announced that it will require every account that manages a project on the platform to have two-factor authentication (2FA) enabled by the end of the year.

PyPI is a software repository for packages created in the Python programming language. The index hosts 200,000 packages, allowing developers to find existing packages that meet various project requirements, saving them time and effort.

The PyPI team says the decision to make 2FA mandatory on all accounts is part of their long-term commitment to improving security on the platform, complementing previous steps taken in this direction, such as blocking user information. identification and API token support.

One of the benefits of 2FA protection is the reduced risk of supply chain attacks. These types of attacks occur when a malicious actor takes control of a software maintainer’s account and adds a backdoor or malware to a package used as a dependency in various software projects.

Depending on the popularity of the package, such attacks can impact millions of users. While developers are responsible for thoroughly inspecting the building blocks of their project, measuring PyPI should make it easier to minimize this type of problem.

Additionally, the Python project repository suffered from crawling malware downloadsthe famous package impersonation and the resubmission of malicious code using hacked accounts over the past few months.

The problem has grown to such an extent that PyPI last week had to temporarily suspend registrations new users and projects until an effective defense solution can be developed and implemented.

2FA protection will help mitigate the problem of account takeover attacks and should also set a limit on the number of new accounts a suspended user can create to redownload malicious packages.

Road to 2FA

The requirement to implement 2FA on all project manager and organization accounts has the deadline until the end of 2023.

Over the next few months, affected users are recommended to prepare and activate the additional security measure using a hardware key or authenticator app.

The PyPI team claims that the preparatory work they have done over the previous months, such as the introduction of ‘Trusted publication‘, combined with parallel initiatives from platforms such as GitHub which helped developers get to grips with 2FA requirements, makes this year a great time to introduce the measure.