RubyGems now requires multi-factor auth for top package maintainers

RubyGems.org, the Ruby programming community's software package registry, now requires maintainers of popular "gems" to secure their accounts using multi-factor authentication (MFA).

As of Monday, August 15, said RubyGems maintainer Jenny Shen, "we will begin to enforce MFA on owners of gems with over 180 million total downloads. Users in this category who do not have MFA enabled on the UI and API or UI and gem sign-in level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA."

And those with between 165 million and 180 million total downloads will receive recommendation reminders via the UI and CLI.

According to Shen, these policies are consistent with those implemented at other package registries, such as PyPI and npm.

The added security precaution is intended as an additional barrier to account takeovers, the second-most common software supply-chain attack, according to a 2021 research paper, "Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages."

Attempts to subvert the software supply-chain have surged in recent years and, thanks to a number of high profile incidents (SolarWinds, Kaseya and Log4j), have prompted those playing defense to try harder.

In 2018, the paper's authors claim, there were 100 million malicious packages that together accounted for 600 million downloads. RubyGems presently contains about 185,000 gems that have been downloaded 103 billion times.

The most common supply-chain attack involves typosquatting – submitting malicious packages to registries using names that are substantially similar to popular packages, in the hope of a fat-fingered fiasco by a developer.

But account takeovers offer the opportunity for broader distribution of malware, given a sufficiently popular account. According to the supply-chain attack paper, account takeovers haven't received as much attention as they might due to the code community's focus on security improvements through bug fixes.

"Account hijacking takes place because of weak credentials that attackers can guess and social engineering attacks exploit the collaborative nature of open-source projects as seen in many attacks," the paper's authors, from the Georgia Institute of Technology in the US, explain.

The obvious fix is to protect accounts with more than a password.

• This big phish can swim around MFA, says Microsoft Security
• Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point
• Five Eyes turn spotlight on MSPs: Potential weak links in IT supply-chain security
• Russia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln

In 2019, PyPI, the Python Package Index, announced the introduction of two-factor authentication (2FA) as a login security enhancement. In February 2022, GitHub began requiring 2FA for the maintainers of top 100 npm packages and it subsequently enhanced its 2FA implementation in May.

RubyGems announced its intention to deploy 2FA in June, stating that MFA can prevent 99.9 percent of account takeover attacks. And with that initiative now underway, the RubyGems maintainers are looking at additional defenses, such as adding hashes of package dependencies to lockfiles.

Formulating defenses against supply-chain attacks isn't enough, however. Consider that RubyGems has supported cryptographically signed packages since v0.8.11, which was released in 2005. Yet as of March 2020, just 1.4 percent of latest version gems were signed.

Optional security is often indistinguishable from insecurity. ®