By: The OpenSSF Technical Advisory Council
On July 8th, 2022, the Python Package Index (PyPI) announced a security key giveaway for maintainers of critical projects, where “critical” is a label given to the top 1% of packages on PyPI by download count during the prior six months. The giveaway included a statement of intent for PyPI to require multi-factor authentication (MFA) for maintainers of all critical projects “in the coming months.” This is similar to other efforts by GitHub, RubyGems, and npm to move to MFA. There was both commendation and concern for this effort.
We, the Open Source Security Foundation (OpenSSF), are a foundation working to improve the security of open source software (OSS). We’re comprised of organizations and individual OSS contributors from a variety of interests (including academic and commercial). We applaud these ongoing efforts because they help defend against the increasing attacks on OSS maintainers’ accounts that are occurring today.
Effort and concerns
The announcement from PyPI was met with mixed response. Since the announcement, many maintainers have enabled MFA for their accounts, required it for their projects, and taken advantage of the security key giveaway. Others raised valid concerns, such as the incomplete universality of the MFA requirement, as well as a trend of increasing requirements and expectations of maintainers to provide assurances around not only the quality and security of their open source, but also of who they are and how they code, for use of community infrastructure by open source maintainers.
There is a significant burden to repository operators in supporting MFA, particularly around support and account recovery. To that end, PyPI, like many others (notably npm and RubyGems), are following a phased rollout approach using a metric which enables the repository operators to control the support burden while providing a benefit to repository users.
Maintainer burden is also a legitimate concern. As OSS grows in popularity, maintainers are increasingly asked to support the software they created, in many cases being asked to go beyond what they signed up for (e.g., providing useful code “as is”). The OpenSSF advocates for automated tooling and encourages security measures which minimize maintainer burden wherever possible. When considering adding security features that require any additional effort (one-time or recurring) on the part of project maintainers, we advocate for implementing those features with extreme consideration to the maintainers. This is especially important because OSS normally does not come with guarantees (unless separately contracted) and consumers rarely pay maintainers. It is perfectly reasonable for maintainers to be concerned about potentially significant burdens, especially since they might perceive these efforts as some kind of unpaid, implicit guarantee to which they have not agreed to.
It is also worth noting that many repositories (including PyPI) are operated by OSS maintainers, and that account compromises present a significant burden on them and all other downstream users.
While no solution today is perfect, we strongly support PyPI’s efforts on their MFA rollout and hope the communities and maintainers will take advantage of this opportunity to lead the way in our first steps to more secure open source. In particular, PyPI organized a security key giveaway with sufficient supply to provide two keys (a primary and a backup) to each maintainer of critical packages. The security key implementation on PyPI uses the FIDO protocol, an existing standard. Furthermore, PyPI also supports using Time-based One-Time Password (TOTP) as an additional factor, which is widely available at zero cost in applications for all major operating systems, including several open source implementations. In short, they are taking steps to minimize maintainer burden as much as they can with technology currently available to the community.
The case for MFA
It’s important to understand that these moves towards MFA are not occurring in a vacuum. There are increasingly many cases where attackers are taking over open source developers’ accounts and leveraging control of those accounts to change project’s source code and/or deployed packages, with a potentially devastating impact on users.
Account compromise is the second most common supply chain attack (after typosquatting) on open source packages for dynamic programming languages like JavaScript, Python, and Ruby [“Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages”]. Account takeover is a direct focus of many attackers; “eslint-scope,” a package with millions of weekly downloads in npm, was compromised to steal credentials from users of the package.
Maintainer account takeovers can be drastically reduced when the maintainers use MFA. That’s because attackers are typically taking over accounts by stealing or cracking passwords, or by doing “SIM swapping” attacks on smartphones. MFA with either TOTP or physical tokens blocks these attacks. This is more than hypothetical: Microsoft found that 99.9% attempts at account takeover of their services are prevented by MFA.
Movement towards MFA is underway
It’s important to understand that the movement towards MFAs is already underway; it’s not unique to PyPI:
- GitHub will require all code contributors to use 2FA by the end of 2023.
- RubyGems (for Ruby) is showing warnings to the maintainers of the top 100 RubyGems packages if MFA is not enabled on their accounts and will begin enforcement on August 15th.
- npm (for JavaScript) is making 2FA mandatory to their first cohort, all maintainers of top-100 npm packages by dependents, with a wider roll out planned.
- The OpenSSF’s own “Great MFA Distribution Project” distributed free MFA tokens to a number of OSS projects in 2021.
Many other OSS-related services have not announced a requirement for MFA, but they do have support for MFA (and have had it for years in some cases).
Generally users of OSS expect that the software source code and packages came from its OSS developers, not from attackers who take over developer’s accounts. MFA is a mechanism to help preserve that assumption.
Support from the OpenSSF
At the OpenSSF, our mission is to improve the security of the open source ecosystem for all participants: developers, users, and the critical infrastructure that enables our communities to interact and share.
We fully support the efforts of software repository operators in improving the trustworthiness of content in their repositories to help project maintainers and users. We believe that software repositories should continue to make changes which enable all users to have confidence in the integrity of the repository’s contents and in the mapping from the upstream source code to the artifacts in the repository.
The OpenSSF is already actively supporting PyPI and other software repositories through activities like the Securing Software Repositories working group and sponsorship and funding from the Alpha/Omega project that facilitates the implementation of much needed security features while minimizing hardship on maintainers. If you’re interested in helping to secure OSS, please join us through participation in the Securing Software Repositories working group or other OpenSSF activities!