Ruby programming language package manager RubyGems has taken steps to mandate multi-factor authentication (MFA) in order to secure the accounts of maintainers of popular projects (gems).
“Today, we will begin to enforce MFA on owners of gems with over 180 million total downloads,” read Jenny Shen’s announcement on the RubyGems blog on Monday. “Users in this category who do not have MFA enabled on the UI and API or UI and ‘gem signin’ level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA.”
While this new policy mainly applies to gem owners with more than 180 million downloads, maintainers with between 165 million and 180 million downloads will also receive recommendations through the command line interface (CLI) and user interface (UI).
This decision came as an additional security measure against account takeovers, which is one of the most common and dangerous forms of software supply-chain attacks. Taking over an account, especially a very popular one, allows threat actors to easily distribute malware.
Phishing, social engineering, and improper credential management (weak passwords, using the same password for multiple accounts) allow for account takeover attacks to happen. Mandatory MFA might be a necessary extra security measure against these attacks, as a result.
“This policy would bring us in line with the policies made by other package ecosystems,” said Shen. “In addition, we are also currently working on adding support for WebAuthn. Maintainers would be able to use hardware tokens, biometric keys, and other WebAuthn-supported devices as their multi-factor device of choice.”