



As part of a push that requires two-factor authentication for critical projects, the Python Package Index will distribute 4,000 Google Titan security keys to developers.

PyPI, the largest package manager for Python libraries and software components, has decided to require two-factor authentication for maintainers of “important” Python projects. Two-factor authentication must be enabled for developers to be able to publish, update, or modify their projects. This requirement protects developers from account hijacking as a result of stolen credentials. There are many examples of supply chain attacks in which an attacker hijacks a code repository and hijacks a software library and module hosted by a popular package manager.

A “Critical” designation is assigned to all PyPI projects that make up the top 1% of downloads in the last 6 months. A dashboard published by PyPI identifies that over 3,800 PyPI projects and 8,200 user accounts are important. Currently, 28,336 users have voluntarily enabled two-factor authentication.

“Ensuring that these protections against account hijacking are applied to the most widely used projects is a step towards a broader effort to improve the general security of the Python ecosystem for all PyPI users.” The PyPI administrator announced.

The decision to require two-factor authentication is an attempt to improve the security of the Python ecosystem’s supply chain and reflects a similar decision by GitHub to require two-factor authentication earlier this year. Recognizing that attackers are increasingly targeting the npm library, which is the JavaScript equivalent of pyPI, GitHub automatically registered the maintainers of the top 100 npm packages in February using two-factor authentication.

