Python: PyPI deploys 2FA system and distributes 4,000 security keys

PyPI, or Python Package Index, distributes 4,000 Google Titan security keys as part of its initiative to make two-factor authentication (2FA) mandatory for critical projects done in the Python programming language.

Python is one of the most popular programming languages ​​in the world. It is appreciated for the extent of its complementary packages or libraries which make it useful for data science. Developers need to update these packages frequently, and attackers have used this behavior to open a backdoor on Windows, Linux, and Apple machines through fake packages with similar names to legitimate packages.

PyPI, which is managed by the Python Software Foundation (PSF), is the main repository where Python developers can obtain open source packages developed by third parties for their projects.

Persistent threats

PyPI and the equivalent JavaScript repository, npm, act like the App Store and Play Store for developers, but they aren’t closed and free services don’t have the resources to check package submissions for bugs. malware.

Google, through the Linux Foundation’s Open Source Security Foundation (OpenSSF), is addressing the threat of malicious language packets and open source software supply chain attacks. She found more than 200 malicious JavaScript and Python packages in a month and saw “devastating consequences” for developers and the organizations they write code for when they install them.

One way for developers to protect against credential theft is to use two-factor authentication. The PSF will make the use of this method mandatory for developers of “critical projects” in the coming months. PyPI has not announced a specific date for this obligation.

“We have started implementing a 2FA requirement: soon, managers of critical projects will need to have two-factor authentication enabled to publish, update or modify these projects”, noted the PSF on its PyPI Twitter account.

A 2FA requirement for critical projects

As part of this security campaign, 4,000 Google Titan hardware security keys will be distributed to project managers, with the help of Google’s open source security team.

“In order to improve the general security of the Python ecosystem, PyPI has started to implement a two-factor authentication (2FA) requirement for mission-critical projects. This requirement will come into effect in the coming months,” the PSF said in a statement. To ensure maintainers of critical projects have the ability to implement strong two-factor authentication with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers. »

The PSF indicates that it considers as critical any project appearing in the top 1% of downloads over the last six months. Currently, there are over 350,000 projects on PyPI, which means over 3,500 projects are considered critical. PyPI calculates this figure daily, so Titan’s donation should cover a lot of key maintainers, but not all. In the name of transparency, PyPI also publishes 2FA account data here. There are currently 28,336 users with 2FA enabled, of which nearly 27,000 are using a 2FA app like Microsoft Authenticator. There are over 3,800 projects deemed “critical” and 8,241 PyPI users in this group.

The critical pool is also likely to grow as projects designated as critical remain so indefinitely as new projects are added to the 2FA obligation over time. The 2FA rule applies to both maintainers and project owners.

Selling Titan Keys is not allowed everywhere

The sale of Titan Keys is only permitted in certain geographic regions. So only developers from Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, UK and USA can get one for free , according to PyPI.

Maintainers in other regions who will need to use 2FA should purchase a FIDO U2F security key from vendors like Yubikey. They can also enable 2FA through a mobile app like Google Authenticator, Microsoft Authenticator, Duo Mobile, Auth, FreeOTP+ or FreeOTP or a password manager like 1Password.

Eligible maintainers can redeem a promo code for two free Titan Security Keys (USB-C or USB-A), including free shipping on the PyPI site. Code expires on 1er october.

Although most developers are familiar with the 2FA system, this requirement could create login difficulties, for example if a user loses the 2FA key and has configured their account with only one 2FA option.

“Without multiple 2FA options, the effect of losing a 2FA method results in the need to fully recover an account, which is cumbersome and time-consuming for both PyPI maintainers and administrators. Enabling multiple 2FA methods reduces potential disruptions if one is lost,” warns PyPl.


Source link -97