Security News > 2023 > May > PyPI announces mandatory use of 2FA for all software publishers
PyPI is a software repository for packages created in the Python programming language.
The PyPI team says the decision to make 2FA mandatory on all accounts is part of their long-term commitment to enhancing security on the platform, complementing previous measures taken in that direction, like blocking compromised credentials and supporting API tokens.
These types of attacks occur when a malicious actor gains control of the account of a software maintainer and adds a backdoor or malware to a package used as a dependency in various software projects.
2FA protection will help mitigate the problem of account takeover attacks and should also set a limit on how many new accounts a suspended user can create to re-upload malicious packages.
The requirement to set up 2FA on all project and organization maintainer accounts has the deadline to the end of 2023.
The PyPI team says the preparatory work it has done in previous months, like introducing 'Trusted Publishing,' combined with parallel initiatives from platforms like GitHub that have helped developers familiarize themselves with 2FA requirements, make this year an excellent moment to introduce the measure.