Python : PyPI déploie le système 2FA et distribue 4 000 clés de sécurité

Python: PyPI employs a 2FA system and distributes 4,000 security keys

PyPI, or Python Package Index, is distributing 4,000 Google Titan security keys as part of its initiative to make two-factor authentication (2FA) mandatory for critical projects done in the Python programming language.

Python is one of the most popular programming languages ​​in the world. It is valued for the scope of its supplemental packages or libraries that make it useful for data science. Developers frequently need to update these packages, and attackers have used this behavior to open a backdoor on Windows, Linux, and Apple computers through fake packages with names similar to legitimate packages.

PyPI, maintained by the Python Software Foundation (PSF), is the main repository where Python developers can get open source packages developed by third parties for their projects.

Persistent Threats

PyPI and its corresponding JavaScript repository, npm, behave like the App Store and Play Store for developers, but they are not closed, and free services do not have the resources to check packet submissions for errors.

Google addresses the threat of malicious language packs and attacks on the open source software supply chain through the Linux Foundation’s Open Source Security Foundation (OpenSSF). It found more than 200 malicious JavaScript and Python packages in a month and saw “devastating consequences” for developers and the organizations they code for when they install them.

One way for developers to protect themselves from credential theft is to use two-factor authentication. The PSF will make the use of this method mandatory for developers of “critical projects” in the coming months. PyPI has not announced a specific date for this commitment.

“We’ve started implementing a 2FA requirement: soon, managers of critical projects will need to have two-factor authentication enabled to publish, update, or change those projects,” written down the PSF on their PyPI Twitter account.

A 2FA requirement for critical projects

As part of this security campaign, 4,000 Google Titan hardware security keys are being distributed to project managers with the help of Google’s open source security team.

“To improve the overall security of the Python ecosystem, PyPI has started implementing a two-factor authentication (2FA) requirement for mission-critical projects. This requirement will come into effect in the coming months,” the PSF said in a statement. To ensure that maintainers of critical projects have the ability to implement strong two-factor authentication using security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited set of security keys for distribution to maintainers of critical projects . »

The PSF states that it considers any project that is in the top 1% of downloads in the last six months to be critical. There are currently over 350,000 projects on PyPI, which means over 3,500 projects are considered critical. PyPI calculates this number daily, so Titan’s donation should cover many key caregivers, but not all. In the name of transparency, PyPI also publishes 2FA account details here. Currently, 28,336 users have 2FA enabled, of which nearly 27,000 use a 2FA app like Microsoft Authenticator. There are over 3,800 projects classified as “critical” and 8,241 PyPI users in this group.

The critical pool is also likely to grow as projects classified as critical remain unlimited as new projects are added to the 2FA commitment over time. The 2FA rule applies to both project maintainers and project owners.

Selling Titan Keys is not allowed everywhere

Titan Keys may only be sold in certain geographic regions. According to PyPI, only developers from Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, Great Britain and the USA can get one for free.

Maintainers in other regions that need to use 2FA should purchase a FIDO U2F security key from vendors like Yubikey. You can also enable 2FA using a mobile app like Google Authenticator, Microsoft Authenticator, Duo Mobile, Auth, FreeOTP+ or FreeOTP, or a password manager like 1Password.

Eligible maintainers can redeem a promo code for two free Titan security keys (USB-C or USB-A), including free shipping, on the PyPI website. code expires on the 1stah October.

Although most developers are familiar with the 2FA system, this requirement could cause login difficulties, for example if a user loses the 2FA key and has their account configured with only one 2FA option.

“Without multiple 2FA options, losing a 2FA method results in the need to fully recover an account, which is cumbersome and time-consuming for both PyPI maintainers and admins. By enabling multiple 2FA methods, potential disruptions are reduced if one is lost,” warns PyPl.


Leave a Reply

Your email address will not be published.