The developers of the PyPI repository of Python packages have introduced an additional verification step for user login. This new step requires confirmation through email if a login attempt is made from a device or browser that has not been used to log in previously. This confirmation is in addition to the existing two-factor authentication process, which involves entering a one-time code along with regular credentials. However, if users utilize WebAuthn or Passkeys technologies for authentication, they will not need to go through the additional email confirmation.
The reason behind this new security measure is to enhance protection against phishing attacks. Recently, attackers have employed transparent proxying to redirect traffic from phishing sites to the real pypi.org website, making it seem like users are interacting with the authentic PyPI directory. This tactic allows attackers to control both the initial login password input and the response to the second factor authentication request.
The new email confirmation requirement serves as an added layer of security to prevent compromise in cases where the TOTP code and password are intercepted. It also notifies users about login attempts from unfamiliar devices. During a proxying attack, attackers may capture account details and the one-time TOTP code, but they cannot manipulate the email confirmation, which necessitates clicking on a link provided in the email.
If a user receives a verification email without attempting to log in, it is advised not to click on the link. However, if a login attempt was made but the device remains unchanged, users should verify that the attempt was not made through a phishing site. If suspicious activity is detected, it is crucial to change the password immediately and review the account’s activity log.