PyPI’s New Rule: 2FA Verification for All Project Maintainers

The Python Package Index recently declared that all project maintainers publishing software on the official PyPI third-party software repository must bind 2FA verification by the end of this year, or else they may find certain account functionalities inaccessible.

PyPI administrator Donald Stufft said: “Today, as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023.

Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.”

This decision was necessitated due to PyPI’s heightened susceptibility to malicious software. Both PyPI and npm projects have been heavily afflicted by diverse malevolent programs, with hackers regularly submitting malicious software laden with backdoors.

Naturally, it’s not a simple task for hackers to submit their illicit software, hence many resort to phishing attacks, directly usurping the accounts of certain maintainers. This explains why PyPI insists that maintainers activate 2FA verification.

Earlier this month, a security firm discovered over 30 Python libraries with backdoors, these libraries could connect to remote servers and exfiltrate sensitive data from the infected servers.

Another development this month was the U.S. Department of Justice demanding the personal information of several maintainers from PyPI due to security concerns. Following legal consultation, PyPI ultimately relinquished a small portion of user data.

Although activating 2FA verification may not entirely resolve the issue of malicious software, it should mitigate a part of the problem, that is, there should be fewer maintainers subjected to phishing and account theft.