The Python Package Index (PyPI) is rolling out two-factor authentication (2FA) for “critical projects” in the form of physical security keys.
Mindful of the growing threat to software supply chains, the repository is distributing 4,000 Titan Security Keys to qualifying maintainers, who can redeem a promo code for two free keys, either USB-C or USB-A.
The Google Open Source Security Team, a sponsor of the Python Software Foundation that maintains PyPI, has provided the keys.
All maintainers of critical projects will have to log into their accounts using the keys in addition to a password, a requirement that “will go into effect in the coming months”, according to an announcement on the PyPI website.
The top 1%
Projects are deemed ‘critical’ if they are among the top 1% of PyPI projects by numbers of downloads over the prior six months.
That means that around 3,500 of roughly 350,000 PyPI projects will qualify.
And “once the project has been designated as critical it retains that designation indefinitely”, said the Python Software Foundation.
Titan hardware keys are only approved for sale, and can therefore only be distributed to, Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US.
Maintainers of critical projects in non-eligible regions can either independently purchase an alternative FIDO U2F security key such as Yubikey or Thetis, or enable 2FA via a TOTP application.
However, PyPI warned that “using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA”.
The move follows a similar commitment made by the RubyGems code repository last month that was applicable to maintainers of gems with more than 165 million downloads.
GitHub also announced last month that 2FA would be made mandatory for all code contributors by the end of next year, while NPM is initially making 2FA mandatory for its top 100 Node.js package maintainers, with a broader rollout already underway.