However, I don't see how this really applies to open source without some major operational changes.
An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity ingrained in the open source ethos.
Any way you slice it, anonymous individuals with access to the supply chain is a gaping security hole.