PyPI has begun adopting a two-factor authentication (2FA) requirement for essential projects to strengthen the security of the Python ecosystem. This regulation will take effect in the coming months, and further information is provided below.
Furthermore, to ensure that critical project maintainers can implement strong 2FA with security keys, the Google Open Source Security Team, a Python Software Foundation sponsor, has provided a limited number of security keys to distribute to critical project maintainers.
Eligible maintainers can use a coupon code for two complimentary Titan Security Keys (USB-C or USB-A), as well as free shipment.
The Python Package Index will offer 4,000 Google Titan security keys to developers as part of the campaign to require two-factor authentication for crucial projects.
According to PyPI, Titan keys are only permitted for sale in specific geographic zones. Therefore only developers from Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the United Kingdom, and the United States are eligible for a free one.
The Python Package Index, popularly known as the Cheese Shop (a reference to Monty Python’s Flying Circus comedy “Cheese Shop”), is Python’s official third-party software repository.
It is similar to the Perl CPAN repository and the R CRAN repository. The Python Software Foundation, a non-profit organization, manages PyPI. PyPI is the default source for packages and their dependencies in certain package managers, including pip. More than 350,000 Python packages are available through PyPI as of January 17, 2022.
PyPI generally hosts Python packages in the form of sdists (source distributions) or pre-compiled “wheels” files. As an index, PyPI allows users to search for packages using keywords or filters against their metadata, such as free software license or POSIX compatibility.
A single PyPI listing can hold, in addition to a package and its metadata, earlier versions of the package, pre-compiled wheels (e.g., DLLs on Windows), and multiple forms for different operating platforms and Python versions.
The “critical” label is given to any PyPI project that has had the top 1% downloads in the last six months. PyPI’s dashboard indicates that around 3,800 PyPI projects and 8,200 user accounts have been categorized as critical. There are now 28,336 users who have freely adopted two-factor authentication.
“Ensure account takeover mitigations are deployed in most popular projects is a step toward a bigger effort to increase the security of the Python environment for all PyPI users,” PyPI admin says.
The move to require two-factor authentication is an attempt by Python Ecosystem Supply to increase security on this chain. This follows a similar decision by GitHub earlier this year to require two-factor authentication.
Benefits of Titan Security Key:
Strongest account security:
Security keys have public-key cryptography to authenticate a user’s identity and the URL of the login page. Thus guaranteeing attackers cannot access your account even if you provide your username and password inadvertently.
Titan Security Keys are constructed with a hardware chip that incorporates Google-engineered firmware to validate the key’s integrity. This helps establish that the keys have not been physically tampered with.
Titan Security Keys are widely supported and operate with major devices, browsers, and a growing ecosystem of services that follow FIDO standards. A single security key can be used to access both professional and personal services.
Features of Titan Security Key:
Titan Security Keys give cryptographic verification that users are engaging with the legitimate service for which they have registered their security key and are in possession of the security key.
Hardware that resists tampering:
A hardware chip with Google-developed firmware confirms the keys are authentic and have not been tampered with. The hardware chips are intended to resist physical assaults aimed at obtaining firmware and secret key material.
Multiple form factors are available to ensure device compatibility.
Titan Security Keys come in two configurations: USB-A/NFC and USB-C/NFC.
Titan Security Keys make it simple to get started. Kits of two keys (one USB and one Bluetooth) are now available on the Google Store for consumers in the United States (and coming soon to additional regions). Enterprise clients can also obtain Titan Security Keys from a Google Cloud agent or our partner, Insight.
Titan Security Keys are compatible with all FIDO security keys. Sign in and go to the 2-Step Verification page to connect them to your Google Account (see detailed instructions here). To guarantee that users utilize the security keys for their accounts, Google Cloud managers may set security key enforcement in G Suite and GCP (through Cloud Identity).