PyPI announces 2FA to secure Python package downloads

Yesterday, the core Python development team announced that PyPI now offers two-factor authentication to increase the security of Python package downloads and thus reduce the risk of unauthorized access to accounts. The team announced that 2FA will be introduced as a login security option on the Python Package Index.

We encourage maintainers and project owners to log in and go to their account settings to add a second factor“, wrote the team on the official blog.

The blog also mentions that this project is a “grant from the Open Technology Fund; coordinated by the Packaging Working Group from Python Software Foundation.”

PyPI currently supports a single 2FA method that generates code through a time-based one-time password (TOTP) application. Once users have configured a 2FA on their PyPI account, they must provide a TOTP (with your username and password) to log in. Therefore, to use 2FA on PyPI, users will need to provide an app (usually a mobile phone app). to generate authentication codes.

Currently, only TOTP is supported as a 2FA method. Additionally, 2FA only affects login through the website, which protects against malicious changes to project ownership, removal of old versions, and account takeovers. Package downloads will continue to work without 2FA codes being provided.

The developers said they are working on multi-factor authentication based on WebAuthn, which will allow the use of Yubikeys for your second factor, for example. They further plan to add API keys for downloading packages, as well as an advanced audit trail of sensitive user actions.

A user on HackerNews answered a question, “Will I get locked out of my account if I lose my phone?” saying, “You will not lock yourself in. I just did a quick test and if you reset your password (via an email link) you are automatically logged in. At this point, you can even disable 2FA. So 2FA protects against logging in with a stolen password, but it does not protect against logging in if you have access to the account’s email account.

Whether or not this is the intended behavior is another question…”

To learn more about current security measures, visit Python’s official blog post.

Read more

Salesforce open source ‘Framework Lightning Web Components’

Data privacy time: DuckDuckGo CEO Gabe Weinberg in an interview with Kara Swisher

Which Python framework is best for building RESTful APIs? Django or Flacon?

Sam D. Gomez