PyPI starts rolling out required 2FA for important projects

PyPI starts rolling out required 2FA for important projects

The Python Package Index (PyPI) says it has begun rolling out a two-factor authentication (2FA) requirement which enforces maintainers of critical projects to have 2FA enabled to publish, update, or modify them. PyPI plays an important role in the Python developers’ ecosystem.

Python repository

PyPi is the repository of software for the Python programming language. Python is a high-level, interpreted, general-purpose programming language. And it is a very popular language often used on servers to create web applications.

Many web developers, and others, use Python packages or add-on libraries from other developers as building blocks to develop their own projects. The Python Software Foundation (PSF) manages the PyPI repository where Python developers can get third-party developed open-source packages for their projects.

Critical projects

The projects rated as critical by the PSF are those that are in the top 1% of downloads. Maintainers of such projects should have received an email about the new requirement. The requirement will go into effect in the coming months. Based on the 1% rule, over 3,500 projects have received the critical designation.

The good news is that every project has the option to set 2FA as required. And, to ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team has provided a limited number of security keys to distribute among critical project maintainers.

The reason

As you can imagine, unauthorized access to a project that many other depend on opens up the possibilities of a software supply chain attack. So, introducing the 2FA factor for critical projects decreases the possibility that someone might introduce malicious code into a popular project.

We have all seen the problems with Log4j. For those that missed it, Log4j is an open source logging library written in Java developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular, so the potential reach of this problem turned out to be enormous.

A similar problem that remains unresolved by these new requirements is the use of packages which are purposedly named after popular projects to confuse users into downloading a malicious version.

Mixed feelings

As you would expect on Twitter, there are some mixed feelings among those impacted by this new requirement. Ranging from developers saying goodbye to their popular project to those wondering why 2FA wasn’t already mandatory in the first place.

For all those with unanswered questions, PyPI has put up a FAQ about the 2FA implementation, along with the key giveaway.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.