RubyGems Navigation menu


Back to blog posts

Introducing Security Device support on RubyGems’ CLI

In a world where many maintainer accounts are being targeted to distribute malicious code via our packages, it is crucial to add more measures that will help prevent these account takeovers. At the end of 2022, we announced the addition of hardware security token and passkey support (aka WebAuthn) to help secure your RubyGems’ account in the browser.

Starting today, you can now use your registered security device as a multi-factor method on the RubyGems CLI! This feature is available in RubyGems 3.4.12 and above.

If you have a security device registered, you will be redirected to the browser to authenticate using your security device when signing in on the command line. The same process can also apply for other MFA-required commands if enabled.

To read more about WebAuthn and multi-factor authentication support in RubyGems, please refer to the guides.

What’s next?

We are still working to make WebAuthn be a drop-in replacement for time-based one time passwords (TOTP). In the near future, users who register a security device will be given recovery codes and be able to select the appropriate MFA level for their account without needing to set up TOTP based authentication.

We are still investing to make a safer, more secure ecosystem for Rubyists, so be sure to stay tuned for updates!

If you have any feedback, questions or ideas on how to make RubyGems better and more secure, please contact us in the Bundler Slack workspace or open a GitHub issue.

Jenny Shen