Description
Is your feature request related to a problem? Please describe.
The notorious ESLint compromise was attributed to password reuse. Currently crates.io does not protect from password reuse in any way.
Describe the solution you'd like
crates.io should require two-factor authentication to be enabled in the Github account in order to log in to crates.io.
While there seems to be no way to ask Github to perform 2FA, it is possible to query whether the user has 2FA enabled and refuse login attempts from people who do not have 2FA enabled. This is sufficient to protect from password reuse.
Describe alternatives you've considered
It would be nice to ask Github to perform 2FA when logging in to crates.io because that would also protect from Github cookie theft, but that doesn't appear to be possible - I could not find any Github API endpoints to do so.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the ua-parser-js being the most widely used.
See also: #4196, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.