Ruby programming language package manager RubyGems is taking steps to enforce mandatory multi-factor authentication (MFA) to secure the accounts of maintainers of popular projects (gems).
“Today (August 15th, 2022), we will begin to enforce MFA on owners of gems with over 180 million total downloads,” reads Jenny Shen’s announcement on the RubyGems blog. “Users in this category who do not have MFA enabled on the UI and API or UI and gem signin level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA.”
Although the new policy applies to gem owners with more than 180 million downloads, maintainers with between 165 million and 180 million downloads will also receive recommendations via the command line interface (CLI) and user interface (UI).
The decision comes as an additional security measure against account takeovers, one of the most common and dangerous forms of software supply-chain attacks, next to TypoSquatting and RepoJacking. Hijacking an account, especially a very popular one, lets perpetrators distribute malware unhampered.
Phishing, social engineering and improper credential management (weak passwords, using the same password for multiple accounts) facilitate account takeover attacks. Therefore, mandatory MFA might be a much-needed additional security barrier against these attacks.
“This policy would bring us in line with the policies made by other package ecosystems,” according to Shen. “In addition, we are also currently working on adding support for WebAuthn. Maintainers would be able to use hardware tokens, biometric keys, and other WebAuthn-supported devices as their multi-factor device of choice.”
Last month Python Package Index (PyPI) announced it was rolling out mandatory 2-factor authentication (2FA) for maintainers of critical projects. Popular PyPI repository owners and maintainers must enable 2FA to publish, modify or update their projects.