PyPI brings in mandatory 2FA for all software publishers following recent security issues

All PyPI maintainers will have to enable 2FA this year

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

PyPI has announced that all users who maintain a project or organization on the platform must now set up two-factorauthenticationin an effort to increase security.

This follows previous measures set out by PyPI, including optional2FA, blocking compromised passwords, support for API tokens, and mandatory 2FA for certain projects.

This comes just days after some new registrations were suspended on the platform following an excess of malicious code, impersonation, and other security concerns.

2FA for PyPI

Many users are likely to have a six-month window to apply the additional authentication measure to their account, with plans drawn up to make 2FA mandatory by the end of this year. ThePythonrepository’s officialblog postexplains more:

“Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.”

These are the best password managers around>GitHub is bringing in mandatory 2FA>Microsoft wants to take any MFA and 2FA worries out of your hands

The post continues to detail the preferred method of authentication - physical devices - though authenticator apps and other services remain supported. Uploads should be done via trusted publishers or API tokens to ensure optimal security, too.

When posing itself the question of why not all users should be forced to use 2FA, PyPI says: “an account without access to any project cannot be used to attack anyone 2 so it is a very low value target.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Among the numerous reasons given for employing mandatory 2FA, PyPI calls out GitHub for taking similar steps, as well as funding that enabled the hiring of a PyPI Safety and Security Engineer.

As two- and multi-factor authentication become increasingly important for securing accounts, many have slated SMS-based authentication for its inferior security and reliance on cellular service. Then, there is the gradual rollout of passwordless passkeys, which is slowly building traction after a delayed start.

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

Target kicks off its Black Friday sale with deals on TVs, toys, iPads, air fryers and more