Security Briefing — PyPI Mandates 2FA for Critical Projects
The Python Package Index announced on February 21, 2023 that all maintainers of critical projects must enable two-factor authentication, expanding mandatory hardware-token and app-based MFA to protect the open-source software supply chain.
Executive briefing: The Python Package Index (PyPI) mandated two-factor authentication for maintainers of critical projects on . The policy aims to reduce credential theft and package hijacking against widely used dependencies.
Key updates
- Critical project scope. PyPI classifies projects as critical based on download volume and dependency impact, requiring maintainers to enable 2FA within the rollout window.
- Security keys encouraged. Free hardware security keys are available through the OpenSSF/CNCF partnership to help maintainers adopt phishing-resistant authentication.
- Automation support. Trusted publishing workflows and API tokens with limited scopes remain available for CI/CD systems.
Implementation guidance
- Audit organizational PyPI accounts to confirm 2FA enrollment and security key distribution for high-impact packages.
- Adopt trusted publishing via GitHub Actions or GitLab CI so releases originate from signed automation rather than local credentials.
- Update software supply chain risk assessments to reflect PyPI's stronger maintainer authentication controls.