Developers of the Python Paki Pypi (Python Package Index) announced the implementation of mandatory two-factor authentication (2FA) for all users. This means that users will now need to provide an additional form of authentication in order to upload files and perform actions related to managing their projects. Previously, 2FA was only required for accounts associated with at least one project or included in the organizing packages of the organization. The announcement can be found here.
The implementation of 2FA aims to enhance the security of the development process and protect projects from potential malware. By requiring an additional form of authentication, the Python Package Index safeguards against the leakage of account data, the use of compromised passwords, hacking of local systems, and social engineering attacks. The compromise of user accounts poses a significant threat, as attackers could potentially inject malware into other products and libraries that rely on the compromised package as a dependency.
The preferred method of 2FA is based on the FIDO U2F hardware tokens and the Webauthn protocol. This approach offers a higher level of security compared to disposable passwords. Alternatively, users can also use applications that support the TOTP protocol, such as Authy, Google Authenticator, and Freeotp. Additionally, developers are encouraged to switch to the ‘Trusted Publishers’ authentication method based on the Openid Connect (OIDC) standard or utilize API-tokens when loading packages.