|PyPI Increases Security|
|Written by Kay Ewbank|
|Thursday, 27 June 2019|
The team developing PyPI, the Python Package Index, is adding WebAuthn support as a new beta feature. The support for U2F compatible hardware security keys will enable PyPI to offer a two-factor authentication login security method, work on which has been funded by a grant from the Open Technology Fund.
The new facility has been undergoing testing by users logging in to the canonical Python Package Index at PyPI.org and the test site at test.pypi.org. The technique involves the generation of a code through a Time-based One-Time Password (TOTP) application to make accounts more secure.
The facility is now being extended so that PyPI also supports WebAuthn security keys that are U2F compatible for a second login factor. This is a beta release, and involves a UF2 compatible security key such as those from Yubikey, Google Titan and Thetis. The key communicates via USB, NFC, or Bluetooth. PyPI supports any FIDO U2F compatible key and follows the WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in.
Project maintainers and owners are being urged to log in and add a second factor. Those users who don't want to use a beta feature are recommended to use a TOTP application for the second factor.
2FA is only being used for logins via the website, and the intention is that the use will safeguard against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without users providing 2FA codes.
Moving forward, the developers of PyPI are working on implementing per-user API keys as an alternative form of multifactor authentication. This will be used for a number of areas, including the setup tools, twine, and PyPI auth flows. These will be application-specific tokens that are specific to individual users or projects, and will mean that users will be able to use token-based logins to make uploads more secure. There are also plans to put into place an advanced audit trail of sensitive user actions.
With the core Python developers looking to slim down the standard library PyPI is going to be come more used as previously core modules have to move to it. Security is all the more important with its increase in importance.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 27 June 2019 )|