September 25, 2023

The PyPI is rolling out two-factor authentication for “critical projects” in the form of physical security keys.

The repository is distributing 4,000 Titan Security Keys sponsored by Google’s open-source security team to qualifying maintainers, who can redeem a promo code for two free keys, either USB-C or USB-A.

Advertisements

All maintainers of critical projects will have to log into their accounts using the keys in addition to a password, a requirement that “will go into effect in the coming months”, according to an announcement on the PyPI website.

Projects are deemed ‘critical’ if they are among the top 1% (3,500 of roughly 350,000) of PyPI projects by the number of downloads over the prior six months.

Titan hardware keys are only approved for sale, and can therefore only be distributed to, Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US. Maintainers from other regions can either independently purchase an alternative FIDO U2F security key such as Yubikey or Thetis, or enable 2FA via a TOTP application.

Advertisements

But, PyPI warned that using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA

Tags:

1 thought on “PyPi adds 2FA for its Critical repositories

  1. Pingback: Malicious library files found in PyPi Repository - TheCyberThrone

Leave a Reply

You may have missed

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023

Air Canada Reveals Data Exposure due to a Cyberattack

September 23, 2023

SandMan APT Group in action against Telcos

September 22, 2023
%d bloggers like this: