However, PyPI warned that “using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA”. Maintainers of critical projects in non-eligible regions can either independently purchase an alternative FIDO U2F security key such as Yubikey or Thetis, or enable 2FA via a TOTP application. Titan hardware keys are only approved for sale, and can therefore only be distributed to, Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US.Ĭatch up on the latest open source security news
That means that around 3,500 of roughly 350,000 PyPI projects will qualify.Īnd “once the project has been designated as critical it retains that designation indefinitely”, said the Python Software Foundation. Projects are deemed ‘critical’ if they are among the top 1% of PyPI projects by numbers of downloads over the prior six months. The Google Open Source Security Team, a sponsor of the Python Software Foundation that maintains PyPI, has provided the keys.Īll maintainers of critical projects will have to log into their accounts using the keys in addition to a password, a requirement that “will go into effect in the coming months”, according to an announcement on the PyPI website. Mindful of the growing threat to software supply chains, the repository is distributing 4,000 Titan Security Keys to qualifying maintainers, who can redeem a promo code for two free keys, either USB-C or USB-A. The Python Package Index (PyPI) is rolling out two-factor authentication (2FA) for “critical projects” in the form of physical security keys. Google is providing Titan Security Keys to maintainers of projects in top 1% of downloads
0 kommentar(er)
