Requiring two-factor authentication on NuGet.org

Claire Novotny

Summary

Over the past few years, we have continually invested in strengthening the supply-chain security for .NET packages. To strengthen the ecosystem further, NuGet.org will begin requiring two-factor authentication for accounts starting March 8th. We made this decision after reviewing industry best practices and evaluating the trade-offs. Our thoughts and plans in this direction are detailed below.

Rationale

Numerous security attacks have occurred across the various package manager ecosystems by using accounts that do not have multi-factor authentication enabled. Oftentimes, attackers can use just a single password to disrupt entire ecosystems. Package manager breaches have led to major security incidents affecting the whole supply chain in multiple companies. API keys, which are secrets used to upload or manage packages, are also a target for malicious attackers.

To date, 2FA adoption among the top authors on NuGet.org is already high, with over 83% enablement. We recognize that package managers play a key role in software supply chains and that any package or account may be a target. We have heard concerns that enabling 2FA requires providing a phone number. Security is not something we take lightly and 2FA is an industry recognized best practice for minimizing the risk of account takeovers. NuGet.org does not have its own 2FA mechanism; rather, it uses existing Microsoft Accounts or Work or school accounts. Microsoft Accounts and Work or school accounts have several ways of satisfying 2FA requirements without providing a phone number, including WebAuthN, FIDO2 security keys, authenticator apps and one-time codes.

Enforcing 2FA for package authors would be a significant step towards protecting not just the NuGet community, but the entirety of .NET. NuGet benefits from Microsoft Accounts and Work or school accounts support of a variety of 2FA mechanisms.

The Plan

There are two components to consider: user logins and API keys for publishing.

  • User Logins: Beginning on March 8th, all new accounts will be required to have 2FA enabled. 2FA on existing users will be gradually required over a period of two months.
  • API Keys: In the future, we plan to expire API keys that are not generated under a 2FA context to ensure that all authenticated access is as secure as possible. We will give at least 30 days’ notice before the implementation of this phase.

The Experience

If you already have 2FA enabled, you will not notice anything immediately. If you don’t have 2FA enabled, when enforcement is activated for your account, you will be redirected back to Microsoft Account or Work or school account 2FA enrollment screens. Enrolling in 2FA for nuget.org does not change the global 2FA setting for your Microsoft account. At no time will NuGet see the information you enter for 2FA enrollment.

Future Plans

API keys represent a valuable target for hackers to steal, so we are investigating ways we can strengthen authentication for publishing scenarios. We will have more to share on that later.

Feedback

If you encounter issues signing in, please don’t hesitate to contact us. For help signing into your Microsoft Account or Work or school account, see the following:

0 comments

Leave a comment