The Python Software Foundation, the official third-party open-source repository for Python projects, announced it will require that every account that maintains any project or organization on PyPI enable two-factor authentication (2FA) on their account by the end of this year.
At present, 2FA is supported on PyPI but has been optional.
“Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement,” the Foundation said.
The move comes following multiple incidents involving malicious Python packages delivering malware and aims to improve the supply chain security of the Python ecosystem. Earlier this month, the Foundation had to temporarily suspend new user and new project name registration on PyPI due to volume of malicious users and malicious projects being created on the index.
The new requirement is the latest step in a long term effort to secure the Python ecosystem in addition to previously implemented measures, including blocking compromised passwords, strong 2FA support using TOTP and WebAuthN, support for API tokens with offline attenuation, enrolling the most downloaded projects into mandatory 2FA, and enabling short lived tokens for upload.
