PyPI implements 2FA policy for critical projects

On Friday, the Python Package Index (PyPI), the official repository for third-party open source Python projects, announced plans to mandate two-factor authentication requirements for maintainers of “critical” projects.

Although many members of the community praised the move, the developer of a popular Python project decided to remove his code from PyPI and republish it to invalidate the “critical” status assigned to his project.

Projects Any PyPI project that represents the top 1% of downloads over the past six months, as well as any PyPI dependencies, have been designated critical.

“To improve the overall security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” administrators announced in a blog post.

The initiative follows repeated recent incidents of legitimate software libraries being hijacked, both in the npm and PyPI.

Last year, the npm widely used ‘ua-parser-js’, ‘coa’ and ‘rc’ were corrupted with malware after their maintenance accounts were compromised. Parent company npm, GitHub, took steps to implement an improved login experience (2FA options) for developers starting in December 2021, with more security updates announced in May.

With the latest news of the PyPI ‘ctx’ being hijacked, PyPI has followed GitHub’s lead by also implementing 2FA for maintenance accounts.

PyPI administrators have also shared a dashboard showing over 3,818 PyPI projects and 8,218 PyPI user accounts that they have identified as “critical” and likely to be asked to adopt 2FA.

Despite this, over 28,000 PyPI user accounts (including those not associated with a “critical” project) have voluntarily enabled 2FA.

Although most have reacted favorably to the move and welcomed PyPI’s initiative to improve the overall security of the software supply chain, some have not.

Markus Unterwaditzer, developer of the PyPI project ‘atomicwrites’ decided to remove his code from the registry after receiving an email from PyPI notifying the developer that his project was deemed critical and now requires two-factor authentication.

Unterwaditzer atomicwrites has reportedly been downloaded over 6 million times in a given month. Finally, Unterwaditzer republished all versions of his project shortly after deleting them and with the download counter reset.

Some compared this move to the left-pad incident in 2016, which involved another developer nearly breaking the internet by removing his critical JavaScript projects from the npm.