Security News > 2022 > July > PyPI mandates 2FA for critical projects, developer pushes back
Although many community members praised the move, the developer of a popular Python project decided to delete his code from PyPI and republish it to invalidate the "Critical" status assigned to his project.
We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them.
Npm's parent company, GitHub, took steps to roll out an enhanced login experience for developers starting December 2021, with further security updates announced this May. With the most recent news of PyPI project 'ctx' getting hijacked, as BleepingComputer first reported, and the case later turning out to be an "Ethical" hacking experiment gone wrong, PyPI has followed GitHub's lead in also implementing 2FA for maintainer accounts.
"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," explains PyPI admins who have also shared a dashboard showing over 3,818 PyPI projects and 8,218 PyPI user accounts that they have identified as "Critical" and who will likely be asked to adopt 2FA. In spite of this, over 28,000 PyPI user accounts have voluntarily enabled 2FA. Developer pushes back at mandatory 2FA. Although most [1, 2, 3] have reacted favorably to the move and welcomed PyPI's initiative towards enhancing the overall security of the software supply chain, some have not.
Markus Unterwaditzer, developer of the 'atomicwrites' PyPI project decided to delete his code from the registry after receiving a "Congratulations!" email from PyPI notifying the developer of his project having been deemed critical and now requiring two-factor authentication.
Pypi today required 2FA for top 1% downloaded projects.