.png){kind=logo}
- Insights
- Cryptocurrencies
- Stocks
- White Papers
- Industry
- Geography
- Insights
- Cryptocurrencies
- Stocks
- White Papers
- Industry
- Geography
As part of the push to mandate two-factor authentication for critical projects, the Python Package Index will distribute 4,000 Google Titan security keys to developers. The Python Package Index, abbreviated as PyPI and also known as the Cheese Shop (a reference to Monty Python's Flying Circus sketch "Cheese Shop") is the official third-party software repository for Python. It is analogous to the CPAN repository for Perl and to the CRAN repository for R. PyPI is run by the Python Software Foundation, a charity. Some package managers, including pip, use PyPI as the default source for packages and their dependencies. As of 17 January 2022, more than 350,000 Python packages can be accessed through PyPI.
PyPI primarily hosts Python packages in the form of archives called sdists (source distributions) or precompiled "wheels." PyPI as an index allows users to search for packages by keywords or by filters against their metadata, such as free software license or compatibility with POSIX. A single entry on PyPI is able to store, aside from just a package and its metadata, previous releases of the package, precompiled wheels (e.g. containing DLLs on Windows), as well as different forms for different operating systems and Python versions.
The "critical" designation is assigned to any PyPI project accounting for the top 1% of downloads over the past six months. According to the dashboard published by PyPI, over 3,800 PyPI projects and 8,200 user accounts have been identified as critical. There are currently 28,336 users who have voluntarily enabled two-factor authentication.
"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," PyPI's administrators announced.
The decision to mandate two-factor authentication is an attempt to improve the supply chain security of the Python ecosystem and echoes a similar decision by GitHub to mandate two-factor authentication earlier this year. Recognizing that attackers are increasingly targeting libraries on npm, PyPI's JavaScript equivalent, GitHub auto-enrolled maintainers of the top 100 npm packages with two-factor authentication back in February.
Security keys use public-key cryptography to verify a user's identity and URL of the login page ensuring attackers can't access your account even if you are tricked into providing your username and password.
Titan Security Keys are built with a hardware chip that includes firmware engineered by Google to verify the key's integrity. This helps to ensure that the keys haven't been physically tampered with.
Titan Security Keys works with popular devices, browsers, and a growing ecosystem of services that support FIDO standards. One security key can be used to sign in to work and personal services.
Titan Security Keys provide cryptographic proof that users are interacting with the legitimate service that they originally registered their security key and that they are in possession of their security key.
A hardware chip that includes firmware developed by Google helps to verify that the keys haven't been tampered with. The hardware chips are designed to resist physical attacks aimed at extracting firmware and secret key material.
Multiple form factors to ensure device compatibility
Titan Security Keys are available in two form factors: USB-A/NFC and USB-C/NFC.
It's easy to get started with Titan Security Keys. Kits of two keys (one USB and one Bluetooth) are now available to U.S. customers on the Google Store (and coming soon to additional regions). Titan Security Keys are also available to enterprise customers through a Google Cloud representative or our partner, Insight.
Titan Security Keys can be used anywhere FIDO security keys are supported. To set them up with your Google Account, sign in and navigate to the 2-Step Verification page (see detailed instructions here). Google Cloud admins can enable security key enforcement in G Suite and GCP (through Cloud Identity) to ensure that users use security keys for their accounts.
