All Python Package Index project maintainers have been required to adopt two-factor authentication by the end of the year in a bid to better prevent account takeover attacks, reports SecurityWeek.
Implementation of 2FA could be performed through an authenticator app or security device, as well as the utilization of API tokens or trusted publishing when conducting PyPI uploads.
"[It] only takes one compromised project in someone's dependency set to compromise their computer. Once compromised, an attacker can extend that attack to attack other systems, including other projects on PyPI that the now compromised person maintains," said PyPI Administrator and Maintainer Donald Stufft.
Aside from 2FA implementation, reduced IP address data collection and storage is also being pursued by PyPI, which has also decided to proceed with PGP signature removal following low usage and security concerns.
No action will be done by PyPI to newly added PGP signatures although existing ones would remain functional.