The current state of two-factor authentication across package managers

Recently at Tidelift we started asking our partnered maintainers (we call them “lifters”) to confirm that they have Two-Factor Authentication (2FA) enabled on their package manager/repository. 

In just two weeks, 46% of lifters report that they have enabled 2FA for their package manager.

What is 2FA?

Two-Factor Authentication (or Multi-Factor Authentication) is an authentication practice that requires two different factors to authenticate yourself. It’s gradually becoming more common on email, banking, and other critical websites.

Why is 2FA important, especially for maintainers?

While using 2FA on your bank’s website may seem an annoying necessity, it is even more important for OSS maintainers. The code you share online may be downloaded onto others’ servers or even developer machines, so making sure you’re the only one that can upload a build is just good security hygiene. 

For example, this month a popular RubyGem was hijacked because the maintainer had reused an old password but hadn’t enabled 2FA on rubygems.org.

Which package managers/repositories support 2FA?

We looked around at the state of 2FA for various package managers as of mid-2019, and found a landscape that’s improving but still needs work:

2FA (Login + Publish)

• NPM (JS)

• RubyGems (Ruby)

2FA (Login-only)

• Bower (JS): via GitHub, GitLab, Bitbucket, etc

• Cargo (Rust): via GitHub

• Carthage (Cocoa): via GitHub, GitLab, Bitbucket, etc

• Go Modules (Go): via GitHub, GitLab, Bitbucket, etc

• Homebrew (OSX): via GitHub

• Julia Pkg (Julia): via GitHub, GitLab, Bitbucket, etc

• Nuget: via Microsoft Accounts

• PuppetForge (Puppet)
  
  
• PyPI (Python)

No 2FA Support

• Atmosphere (Meteor)

• CPAN (Perl)

• Hackage (Haskell)

• Hex (Erlang)

• Packagist (PHP)

• wordpress.org/plugins (Wordpress/PHP)

2FA is Unnecessary

• CRAN (R): package uploads are done via form submission! 😏

• Maven (Java): package uploads are verified by PGP keys

How can I help?

If you’d like to help improve the landscape, here are a few places to start:

• PyPI is working on improving their 2FA support and has listed some Github Issues that need help.
• Cargo has a lengthy discussion about requiring 2FA for publishing.
• Hex has a closed and unfinished PR that implements 2FA support.
• Packagist has an open iIssue about 2FA.

What we are up to and how you can learn more

Tidelift provides a way to bring maintainers together in a scalable model that makes open source work better—for everyone. Those who build and maintain open source software get compensated for their efforts—and those who use their creations get more dependable software as part of a managed open source subscription.

• If you are a software developer and are interested in getting dependable maintenance for the open source software you already use, backed by the people who created it, learn more about the Tidelift Subscription.
• If you are an open source maintainer and are interested in getting paid for doing the work you love while attracting more users and creating the community you want to be a part of, learn more about partnering with Tidelift.