Did You Hear That? PyPI Supports Two-Factor Login via WebAuthn

Posted on Nov 02, 2019


Python has come up with the release of two new Python Modules, namely Python Standard Library and the Python Package Index(PyPI).

Python Standard Library is the collection of modules which already exist on the system and requires no need to install them. You just need to import the modules which you want to use.

On the other side, the Python Package Index is a repository of software containing more than 2400 packages which are created by the community members itself.

Moreover, how can we forget to provide ultimate security to all of these modules? For increasing the security of Python package downloads, the python community has added a new beta feature to the Python Package Index with the WebAuthn support for U2F compatible hardware security keys as two-factor authentication (2FA) login method.

In the previous month, the python community has also added the first two-factor authentication method in the canonical Python Package Index for the users to log in and test the site. With a step ahead, hundreds of project owners and maintainers are now using the method of Time-based One-time Password (TOTP) application for the better security of their accounts.

What about Module Security? #


From now, PyPI will also provide full support with WebAuthn security keys which are U2F compatible for a second attempt to login. A universal second factor (U2F) key is a kind of hardware device which communicates using USB, NFC, and Bluetooth. Some of the popular leys include YubiKey, Thetis, and Google Titan. PyPI supports all the FIDO U2F compatible keys by following the WebAuthn Standards for which the users have to set up a second factor that will be prompted for using their key when you log in.

This is a beta feature, and we can definitely expect the users to find some small issues, but if you figure out any potential security vulnerabilities than you must follow the published security policy rather than reporting issues in the warehouse through GitHub, mailing lists and IRC.

How to implement it? #


At first, you will need to verify your primary email address on your Test PyPI accounts before setting up two-factor authentication which can be done from Account Settings. 2FA affects only the log in via the website that safeguards towards any malicious changes and protects its ownership, deletes previous releases, and take over the accounts. To this, the package uploads will be continuing to work without any users by providing 2FA codes.

The Road Ahead #


Furthermore, the Python community is also working on the implementation of API keys as an alternative form of multifactor authentication in the auth flows. These will be applied based tokens which are scoped to individual users and projects so users can see token-based logins for a better secure upload. The community also aims to work on an advances audit trail of sensitive user actions and improvements to access and localize for PyPI. You can check more details by getting into their progress reports. Keep Learning!

Author Bio:

Kibo Hutchinson is working as a Business Trend Analyst at Tatvasoft UK. She has a keen interest in learning latest practices in the development so she is spending her most of the time on the Internet navigating the unique and extraordinary topics and technology trends.


Other Tutorials (Sponsors)