"PyPI Mandates 2FA for Critical Projects, Developer Pushes Back"

The Python Package Index (PyPI), the official repository of third-party open-source Python projects, has announced plans to require two-factor authentication (2FA) for maintainers of projects deemed critical. Although many members of the Python community praised the move, the developer of a popular Python project decided to remove his code from PyPI and republish it in order to invalidate the "critical" status assigned to his project. PyPI projects that have received the most downloads in the last six months and PyPI's dependencies have been designated as critical. PyPI has begun implementing the 2FA requirement for critical projects in order to improve the overall security of the Python ecosystem. This requirement will become mandatory in the coming months. In addition, critical project maintainers are being offered free hardware security keys, with support from the Google Open Source Security Team, a Python Software Foundation (PSF) sponsor. The initiative is in response to recent instances of legitimate software libraries being hijacked across both the npm and PyPI ecosystems. This article continues to discuss PyPI making 2FA security mandatory for critical Python projects and the response to this effort. 

Bleeping Computer reports "PyPI Mandates 2FA for Critical Projects, Developer Pushes Back"