PyPi Insists On 2FA For Critical Projects
Written by Kay Ewbank   
Tuesday, 26 July 2022

PyPi, the Python Package Index, which is the official repository of third-party open-source Python projects, has got tough with its requirements for critical projects. The plan is that two-factor authentication will now be mandatory for developers maintaining critical projects.

The move has been made to improve the general security of the Python ecosystem, and PyPI, along with the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

Eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (either USB-C or USB-A), including free shipping.


The move comes three years after PyPi first offered two factor authentication as a login security option.

The definition of a 'critical project' is simply any project in the top one percent of downloads over the previous six months. As PyPi has over 350K projects, the number on the 'critical' list is over 3,500 projects.

Once a project has been designated as critical it retains that designation indefinitely. While the news has been welcomed by many, some developers have either complained or removed their projects from PyPi, pointing out that placing security requirements on free software that's maintained by a single developer represents a disincentive.

Armin Ronacher, the developer of Flask, a a lightweight web application framework, said on his blog that he hadn't set out to create a 'critical' package, and while requiring the enabling of 2FA is quite mild, it sets a precedent:

"The message to me as a maintainer is quite clear: once a project achieved criticality, then the index wants to exercise a certain amount of control. From the index' perspective it's within the bounds of its terms of service to put further restrictions on such a project."

Ronacher's point is that developers already put their own time and labor into developing projects, and the users of the packages ought to take some of the burden.

Developers of projects affected by the move have been informed by email. 


More Information

PyPI 2FA Security Key Giveaway

Related Articles

PyPy 5.0 Released

PyPy 4.0 Released

PyPy – a faster Python    

PyPy - Faster Python Now On ARM          

PyPy 2.5 Released

Python 3.5 Released


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Run WebAssembly Components Inside Node.js With Jco

Jco 1.0 has been just announced by the Bytecode Alliance.It's a native JavaScript WebAssembly toolchain and runtime that runs Wasm components inside Node.js. Why is that useful?

Quantum Computing Prize Awarded

John Preskill, Professor of Theoretical Physics at the California Institute of Technology, is the eighth recipient of the John Stewart Bell Prize for Research on Fundamental Issues in Quantu [ ... ]

More News

raspberry pi books



or email your comment to: