2FA is an identity and access management security method that requires two forms of identification.
After a year and a half of work and some gradual changes, mandatory authentication through 2FA has finally been introduced in a general way for all users in PyPI, since since mid-2022 the developers of the Python package repository PyPI (Python Package Index) announced a route for the transition to mandatory two-factor authentication for critical packages.
One year after said announcement (in June 2023) Mandatory authentication implemented of two factors for all user accounts that they maintained at that time, at least one project or were part of an organization that selects packages for mandatory use of two-factor authentication.
Y Now, the introduction of mandatory two-factor authentication has been applied to all los users in general, so by not enabling two-factor authentication, the user will now not be able to upload files or perform actions related to the management of their project.
This post is a recognition of the hard work that went into making this a reality and a thank you to all the users who enabled 2FA on their accounts.
It's also a reminder for those who have not yet enabled 2FA, that you will need to do so before you can perform any management actions or upload files to PyPI.
Once 2FA is enabled, you will be able to perform management actions, including generating API tokens or setting up trusted publishers (preferred) to upload files.
As noted in previous articles, the repository developers Python PyPI packages have highlighted the importance of implementing two-factor authentication. This measure is introduced with the purpose of improving security in the development process and protecting projects against possible malicious changes caused by credential leaks. Two-factor authentication provides an additional layer of protection, mitigating risks associated with the use of shared passwords, password vulnerability on compromised sites, attacks on the developer's local system, or social engineering tactics.
The need to strengthen security lies in the significant threat of unauthorized access due to account takeover. This type of attack represents a considerable risk, since if successful, attackers could introduce malicious changes to other products and libraries that depend on the compromised package. Therefore, two-factor authentication is presented as an essential measure to safeguard the integrity and trust in the Python software development ecosystem, preventing potential negative consequences derived from unauthorized access and malicious changes to critical projects.
In addition, the developers mention that the preferred two-factor authentication is based on a scheme that uses hardware tokens compatible with the FIDO U2F specification and the WebAuthn protocol. This method stands out for providing a higher level of security compared to generating one-time passwords. Hardware tokens, aligned with FIDO U2F and WebAuthn, offer an additional layer of protection, improving security in the authentication process.
In addition to hardware tokens, there is the option to use authenticator applications that generate one-time passwords and support the TOTP (Time-Based One-Time Password) protocol. Examples of these apps include Authy, Google Authenticator, and FreeOTP. These apps provide another secure alternative to two-factor authentication.
When downloading packages, developers are strongly recommended to use the authentication method called 'Trusted Publishers'. This method is based on the OpenID Connect (OIDC) standard or uses API tokens. Choosing this approach helps strengthen security in interactions and transactions related to package downloads, providing an additional level of trust by authenticating the publishers involved.
Finally, If you are interested in knowing more about it, you can check the details in the following link.