The Python Package Index (PyPI) has made an important security announcement, stating that all account holders responsible for maintaining a project on the platform must enable two-factor authentication (2FA) by the end of the year.
This move is part of PyPI’s effort to counter the risks posed by account takeover attacks, which could lead to the distribution of tampered versions of widely used software packages, compromising the software supply chain and enabling the deployment of malware on a large scale. PyPI administrator Donald Stufft emphasized that access to certain site functionalities will be gated based on 2FA usage, with the possibility of early enforcement for specific users or projects.
While the new requirement applies to project maintainers and organization maintainers, it does not extend to every individual user of the PyPI service. This strategic implementation aims to fortify the security infrastructure of PyPI and prevent unauthorized access and malicious activities.
PyPI, like other open source repositories such as npm, has faced numerous instances of malware and package impersonation, underscoring the importance of enhanced security measures.
This announcement follows PyPI’s previous decision to make 2FA mandatory for critical project maintainers nearly a year ago. Currently, PyPI hosts 457,125 projects and has 704,458 registered users.
As per cloud monitoring service provider Datadog, 38,248 users have already enabled 2FA, with 9,580 users and 4,541 projects being identified as critical. By enforcing 2FA for all account maintainers, PyPI aims to create a safer environment and ensure the integrity of the software ecosystem it supports.
