Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

PyPI repo to distribute 4,000 security keys to maintainers of ‘critical projects’ in 2FA drive

The Python Package Index (PyPI) is rolling out two-factor authentication (2FA) for “critical projects” in the form of physical security keys.

Mindful of the growing threat to software supply chains, the repository is distributing 4,000 Titan Security Keys to qualifying maintainers, who can redeem a promo code for two free keys, either USB-C or USB-A.

The Google Open Source Security Team, a sponsor of the Python Software Foundation that maintains PyPI, has provided the keys.

All maintainers of critical projects will have to log into their accounts using the keys in addition to a password, a requirement that “will go into effect in the coming months”, according to an announcement on the PyPI website.

The top 1%

Projects are deemed ‘critical’ if they are among the top 1% of PyPI projects by numbers of downloads over the prior six months.

That means that around 3,500 of roughly 350,000 PyPI projects will qualify.

And “once the project has been designated as critical it retains that designation indefinitely”, said the Python Software Foundation.

Titan hardware keys are only approved for sale, and can therefore only be distributed to, Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US.

Maintainers of critical projects in non-eligible regions can either independently purchase an alternative FIDO U2F security key such as Yubikey or Thetis, or enable 2FA via a TOTP application.

However, PyPI warned that “using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA”.

The move follows a similar commitment made by the RubyGems code repository last month that was applicable to maintainers of gems with more than 165 million downloads.

GitHub also announced last month that 2FA would be made mandatory for all code contributors by the end of next year, while NPM is initially making 2FA mandatory for its top 100 Node.js package maintainers, with a broader rollout already underway.

Source: https://portswigger.net/daily-swig/pypi-repo-to-distribute-4-000-security-keys-to-maintainers-of-critical-projects-in-2fa-drive

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO