The operators of the RubyGems.org package manager have announced the switch from password-based login to multi-factor authentication (MFA) for the accounts of the most commonly used Ruby packages. Anyone offering such packages must now use an authentication app for important changes such as publishing or removing a package.
The lower limit for the MFA obligation is initially 180 million downloads. Gems maintainers who count more than 165 million downloads will receive an advance warning with the recommendation to enable MFA in time.
First step in the safe direction
The package management service wants to take further measures to make MFA attractive beyond the top packages. The discussion on this takes place in a Request for Comments (RFC), which can be found as an issue on GitHub.
Currently, authentication runs via apps like Google Authenticator, Authy or Authenticator Plus, which create time-based one-time passwords (TOTP). The RubyGems.org team plans to release more MFA options such as hardware tokens and biometric keys in the future.
Authentication is not required for all but only the critical actions. The privileged operations are providing a gem with gem push
removing a package with gem yank
and changing ownership of a gem through the ownership page or commands gem owner --add
respectively gem owner --remove
.
In the footsteps of npm, PyPI and NuGet
The measure is intended to prevent attacks on the supply chain in which malicious code ends up in common packages. MFA or 2FA (two-factor authentication) help prevent accounts from being hijacked by weak passwords or leaked credentials.
With this measure, the Ruby package manager follows the models of the package managers for JavaScript, Python and .NET: npm had already introduced 2FA as an option in 2017 and has required it for the top 100 packages since the beginning of February. The npm parent GitHub will require all users to secure their accounts via 2FA from the end of 2023.
PyPI has been offering 2FA since May 2019, and since July 2022 it has been mandatory for the top percent of downloads and thus for around 3500 packages. In February, Microsoft announced a 2FA requirement for the .NET package manager NuGet, first for new and then for existing accounts.