Personally, I like 2FA and I use it in some of my SAAS apps. It is relatively simple and just works. All I really care about the person I issue a 2FA secret to is that they pay to use my system. I don't give them access to source code.
However, I don't see how this really applies to open source without some major operational changes.
An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity ingrained in the open source ethos.
Any way you slice it, anonymous individuals with access to the supply chain is a gaping security hole.
Personally, I like 2FA and I use it in some of my SAAS apps. It is relatively simple and just works. All I really care about the person I issue a 2FA secret to is that they pay to use my system. I don't give them access to source code.
However, I don't see how this really applies to open source without some major operational changes.
An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity ingrained in the open source ethos.
Any way you slice it, anonymous individuals with access to the supply chain is a gaping security hole.