PyPI Repository makes 2FA security mandatory for critical Python projects


The administrators of the official Python third-party software repository have started imposing a new two-factor authentication condition (2FA) on projects deemed “critical”.

“We have started rolling out a 2FA requirement: soon administrators of critical projects must have 2FA enabled to publish, update or modify them,” Python Package Index (PyPI) said in a tweet from last week.

“Each manager of a critical project (both ‘Maintainers’ and ‘Owners’) is included in the 2FA requirement,” the added

In addition, developers of critical projects who have not previously enabled 2FA on PyPi will receive free hardware security keys from the Google Open Source Security Team.

PyPI, which is managed by the Python Software Foundation, is home to more than 350,000 projects, of which more than 3,500 projects they are said to be tagged with a “critical” designation.

According to the repository’s administrators, any project responsible for the top 1% of downloads in the past 6 months is considered critical, with the determination recalculated daily.

But once a project is classified as critical, it is expected to keep that designation indefinitely, even if it disappears from the top 1% download list.

The move, seen as an effort to improve the security of the Python ecosystem’s supply chain, comes in the wake of a number of security incidents targeting open-source repositories in recent months.

Last year, NPM developer accounts were hijacked by malicious parties to insert malicious code into popular packages “ua-parser-js”, “coa” and “rc”, prompting GitHub to tighten the security of the NPM registry through 2FA to be required for administrators and administrators from the first quarter of 2022.

“Ensuring that the most frequently used projects have this account takeover protection is a step towards our broader efforts to improve the overall security of the Python ecosystem for all PyPI users,” said PyPi.