PyPI has announced that all users who maintain a project or organization on the platform must now set up two-factor authentication in an effort to increase security.
This follows previous measures set out by PyPI, including optional 2FA, blocking compromised passwords, support for API tokens, and mandatory 2FA for certain projects.
This comes just days after some new registrations were suspended on the platform following an excess of malicious code, impersonation, and other security concerns.
2FA for PyPI
Many users are likely to have a six-month window to apply the additional authentication measure to their account, with plans drawn up to make 2FA mandatory by the end of this year. The Python repository’s official blog post explains more:
“Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.”
The post continues to detail the preferred method of authentication – physical devices – though authenticator apps and other services remain supported. Uploads should be done via trusted publishers or API tokens to ensure optimal security, too.
When posing itself the question of why not all users should be forced to use 2FA, PyPI says: “an account without access to any project cannot be used to attack anyone 2 so it is a very low value target.”
Among the numerous reasons given for employing mandatory 2FA, PyPI calls out GitHub for taking similar steps, as well as funding that enabled the hiring of a PyPI Safety and Security Engineer.
As two- and multi-factor authentication become increasingly important for securing accounts, many have slated SMS-based authentication for its inferior security and reliance on cellular service. Then, there is the gradual rollout of passwordless passkeys, which is slowly building traction after a delayed start.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba