Python Paki Pypi (Python Package Index) is mandating the use of two-factor authentication for all accounts of users who have at least one project or are part of an organization’s supervisory packages. The developers of the platform made the announcement and intend to complete the transition to two-factor authentication before the end of 2023. They plan to carry out a phased restriction of accessible functionality for developers who have not enabled the feature until its implementation.
Certain categories of users will have the requirement to enable two-factor authentication applied in advance. The implementation of this security feature aims to protect the development process of projects and prevent the creation of malware due to compromised accounts that use the same password or social engineering tactics to breach security.
One of the threats of receiving unauthorized access is that attackers can substitute malware in other products and libraries that use the compromised package as a dependency. The Python Paki Pypi developers have recommended the use of FIDO U2F hardware tokens and the Webauthn protocol for two-factor authentication as the preferred method. This combination offers a higher level of security compared to generating disposable passwords.
In addition to hardware tokens, developers can also use applications that support the TOTP protocol such as Authy, Google Authenticator, and Freeotp for authentication. During package loading, developers are required to use the Trusted Publishers authentication method based on the OpenID Connect standard or apply API tokens.
Python Paki Pypi developers believe that the mandatory implementation of two-factor authentication will strengthen the protection of the platform for all users who develop and consume its packages.