PyPI Implements Mandatory Two-Factor Authentication for Project Owners

The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year.

“Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage,” PyPI administrator Donald Stufft said. “In addition, we may begin selecting certain users or projects for early enforcement.”

The enforcement also includes organization maintainers, but does not extend to every single user of the service.

The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale.

PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.

Earlier this month, Fortinet FortiGuard Labs discovered over 30 Python libraries that incorporated various features to connect to arbitrary remote URLs and steal sensitive data from compromised machines.

The development comes nearly a year after PyPI made 2FA mandatory for critical project maintainers. The registry is home to 457,125 projects and 704,458 users.

According to cloud monitoring service provider Datadog, 9,580 users and 4,541 projects have been identified as critical, with 2FA enabled in total for 38,248 users to date.