PyPI launches 2-factor authentication (2FA) for their top 1% projects

Supply chain attacks are increasingly relying on compromising code repositories. Public repositories such as npm (world's largest Software Registry) and PyPi are especially targeted, hence the move to 2FA.

After repeated incidents of legitimate software libraries getting hijacked—across both the npm and PyPI ecosystems, admins of the PyPI registry started the initiative towards enhancing the overall security of the software supply chain.

They announced being in the process of introducing two-factor authentication (2FA) requirement for top projects. Any PyPI project accounting for the top 1% of downloads over the last six months as well as PyPI's dependencies have been designated critical.

Maintainers of critical projects must have 2FA enabled to publish, update, or modify them. To ensure that these maintainers can use strong 2FA methods, they are also distributing 4000 hardware security keys!

Read more at Bleeping Computer!