Recently at Tidelift we started asking our partnered maintainers (we call them “lifters”) to confirm that they have Two-Factor Authentication (2FA) enabled on their package manager/repository.
In just two weeks, 46% of lifters report that they have enabled 2FA for their package manager.
Two-Factor Authentication (or Multi-Factor Authentication) is an authentication practice that requires two different factors to authenticate yourself. It’s gradually becoming more common on email, banking, and other critical websites.
While using 2FA on your bank’s website may seem an annoying necessity, it is even more important for OSS maintainers. The code you share online may be downloaded onto others’ servers or even developer machines, so making sure you’re the only one that can upload a build is just good security hygiene.
For example, this month a popular RubyGem was hijacked because the maintainer had reused an old password but hadn’t enabled 2FA on rubygems.org.
We looked around at the state of 2FA for various package managers as of mid-2019, and found a landscape that’s improving but still needs work:
If you’d like to help improve the landscape, here are a few places to start:
Tidelift provides a way to bring maintainers together in a scalable model that makes open source work better—for everyone. Those who build and maintain open source software get compensated for their efforts—and those who use their creations get more dependable software as part of a managed open source subscription.