PyPI, the Python repository, has recently announced that all users who maintain a project or organization on the platform must now set up two-factor authentication (2FA) in an effort to increase security. This move comes after several other measures were implemented by PyPI, including optional 2FA, blocking compromised passwords, support for API tokens, and mandatory 2FA for certain projects. The decision to make 2FA mandatory was prompted by an excess of malicious code, impersonation, and other security concerns that led to the suspension of new registrations on the platform.
Many users will have a six-month window to apply the additional authentication measure to their account, with plans drawn up to make 2FA mandatory by the end of this year. PyPI’s official blog post explains that “Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.” The post also details the preferred method of authentication – physical devices – though authenticator apps and other services remain supported. Uploads should be done via trusted publishers or API tokens to ensure optimal security.
PyPI has given several reasons for employing mandatory 2FA, including GitHub taking similar steps and funding that enabled the hiring of a PyPI Safety and Security Engineer. As two- and multi-factor authentication become increasingly important for securing accounts, many have criticized SMS-based authentication for its inferior security and reliance on cellular service. There is also the gradual rollout of passwordless passkeys, which is slowly gaining traction after a delayed start.
While some may question why not all users should be forced to use 2FA, PyPI explains that “an account without access to any project cannot be used to attack anyone so it is a very low value target.” However, as the platform continues to grow and attract more users, it becomes increasingly important to implement measures that ensure the security and integrity of the platform.
In conclusion, PyPI’s decision to make 2FA mandatory for all users who maintain a project or organization on the platform is a step in the right direction towards improving security. With the increasing prevalence of cyber attacks and data breaches, it is crucial that platforms like PyPI take proactive measures to protect their users and their data. While some may find the additional authentication measure to be inconvenient, it is a small price to pay for the peace of mind that comes with knowing that their data is secure.
