web analytics
Home » Technology » PyPI Requires 2FA For All Developers Now

PyPI Requires 2FA For All Developers Now

python

The open-source repository for Python projects (PyPI) has been struggling with malware lately. After administrators stopped new sign-ups, it has now been announced that all developers will have to make their accounts more secure by the end of 2023.

If you want to provide a package in the Python Package Index (PyPI), you will have to use two-factor authentication (2FA) in the future. In addition to the password, a one-time code, which is calculated on the basis of a previously shared key and the current time, is required for logging in. According to Bleeping Computer, the measure will come into force at the end of the year and is intended to prevent accounts from being compromised and used to spread malware. This has happened again and again in the past.

Just a week ago, the administrators of PyPI temporarily blocked the registration of new accounts. Therefore, no further projects can be offered on the platform at the moment. This step is intended to prevent attackers from creating new accounts and uploading malicious code. The open-source repository has been particularly struggling with malicious packages lately. Existing users are not affected by the measure and can continue to log in.

2FA already required for critical projects

As early as the summer of 2022, the administrators of PyPI announced that developers of critical projects would have to set up 2FA. For this purpose, 4000 free hardware security keys were offered in cooperation with Google. The one percent of packages with the most downloads is considered critical. However, some developers have criticized the 2FA requirement because they offer their code for free anyway and don’t want to deal with supply chain security.