Skip to main content
close search
site logo
Dive Brief

PyPI to mandate 2FA by the end of 2023

Published May 30, 2023
David Jones's headshot
Reporter
Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard
gorodenkoff via Getty Images

Dive Brief:

  • The Python Package Index will mandate two-factor authentication for every account that maintains a project or organization on the site starting at the end of 2023, the organization said Thursday
  • Python is considered one of the most widely used programming languages. The mandate is designed to prevent account takeover attacks, which have been used to compromise PyPI users in the past. 
  • From now until the end of the year, PyPI will begin gating access to certain site functionality based on two-factor usage. Certain users or projects may also be selected for early enforcement, however it was not specified what the exact criteria will be for selection.

Dive Insight:

The expanded authentication mandate comes at a time of heightened concern about supply chain security in the open source community. 

Earlier this month, PyPI temporarily suspended the creation of new users amid a rash of malicious attacks. The speed and volume of malicious attacks led to the temporary suspension as administrators were briefly unable to respond to incidents in a timely manner.

Researchers from Checkmarx reported a wave of malicious activity targeting a number of different open source registries in recent months. 

“As Python is a highly popular programming language, the security community, especially open source supply chain companies, care when threat actors overwhelm the ecosystem with suspicious activity,” Jossef Harush Kadouri, head of software supply chain security at Checkmarx, said via email. 

Malicious activity has impacted a variety of open source repositories, including attacks involving NPM in April and NuGet in late 2022

Python Software Foundation officials last week declined to comment on why the suspension was necessary, but pointed to a recently published story where there was not enough available administrators, which left them unable to handle the volume of malicious activity.

The Department of Justice issued three subpoenas to get user data stemming from March and April, however details of why that information was requested was not disclosed. The subpoenas requested several specific details, including names, addresses, records of session times, length of service, means and source of payment, records of packages uploaded and other information.

Filed Under: Strategy, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell