PyPI Increases Security
Written by Kay Ewbank   
Thursday, 27 June 2019

The team developing PyPI, the Python Package Index, is adding WebAuthn support as a new beta feature. The support for U2F compatible hardware security keys will enable PyPI to offer a two-factor authentication login security method, work on which has been funded by a grant from the Open Technology Fund.

 pypisq

The new facility has been undergoing testing by users logging in to the canonical Python Package Index at PyPI.org and the test site at test.pypi.org. The technique involves the generation of a code through a Time-based One-Time Password (TOTP) application to make accounts more secure.

The facility is now being extended so that PyPI also supports WebAuthn security keys that are U2F compatible for a second login factor. This is a beta release, and involves a UF2 compatible security key such as those from Yubikey, Google Titan and Thetis. The key communicates via USB, NFC, or Bluetooth.  PyPI supports any FIDO U2F compatible key and follows the WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in.

Project maintainers and owners are being urged to log in and add a second factor. Those users who don't want to use a beta feature are recommended to use a TOTP application for the second factor.

2FA is only being used for logins via the website, and the intention is that the use will safeguard against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without users providing 2FA codes.

Moving forward, the developers of PyPI are working on implementing per-user API keys as an alternative form of multifactor authentication. This will be used for a number of areas, including the setup tools, twine, and PyPI auth flows. These will be application-specific tokens that are specific to individual users or projects, and will mean that users will be able to use token-based logins to make uploads more secure. There are also plans to put into place an advanced audit trail of sensitive user actions. 

With the core Python developers looking to slim down the standard library PyPI is going to be come more used as previously core modules have to move to it. Security is all the more important with its increase in importance.

pypisq

More Information

PyPI Website

Related Articles

PyPI Granted $170,000

Python - Dead Batteries Included? 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Why OpenSSF's Baseline Security For Open Source Projects Is Important
21/04/2025

The Open Source Project Security Baseline, or OSPS Baseline for short, is a new initiative by OpenSSF in an attempt to bolster the security posture of open source software projects.



Undefined Behavior Begone!
02/04/2025

C++ guru Herb Sutter has a new take on taming the UB monsters in C++, but there is a sense in which the monster is of our own creation and slaying it isn't essential - just tell it to begone.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

<ASIN:1871962587>

<ASIN:B07S1K8KLW>

Last Updated ( Thursday, 27 June 2019 )