The PyPI is rolling out two-factor authentication for “critical projects” in the form of physical security keys.
The repository is distributing 4,000 Titan Security Keys sponsored by Google’s open-source security team to qualifying maintainers, who can redeem a promo code for two free keys, either USB-C or USB-A.
All maintainers of critical projects will have to log into their accounts using the keys in addition to a password, a requirement that “will go into effect in the coming months”, according to an announcement on the PyPI website.
Projects are deemed ‘critical’ if they are among the top 1% (3,500 of roughly 350,000) of PyPI projects by the number of downloads over the prior six months.
Titan hardware keys are only approved for sale, and can therefore only be distributed to, Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US. Maintainers from other regions can either independently purchase an alternative FIDO U2F security key such as Yubikey or Thetis, or enable 2FA via a TOTP application.
But, PyPI warned that using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA