Only allow secure two-factor methods #1005
Description
Ref: https://openjs-foundation.slack.com/archives/CTPN0DFF0/p1757409567216549
Per OpenCollective,
In addition, we recommend that projects secure their accounts with biometric-protected passkeys. Specifically accounts with access to commit (i.e., GitHub) or distribution (i.e., package managers) wherever possible, and to never rely solely on SMS as a second authentication factor.
cc @nodejs/security-wg