Hard disagree here, supply chain attacks are big business, it matters a lot more than a few thousand bucks in a savings account which can be easily reversed if stolen by crooks. PyPi isn't "every single website", it's full of modules powering a lot of the internet and other critical infrastructure.
I have a hardware key for the 2FA on my meagre open source libraries, it takes 10 seconds to pull it out of my pocket and use it. Why is that a bad thing if it's enforced? It seems more like you have a UX problem here, there's solid open source TOTP software that come with browser extensions and are one click to use. SMS only can be a pain but many companies are moving away from that, albeit slowly.
I also ave a hardware key, I got it for free last year.
It doesn't take 10 seconds. It takes remembering to keep it with me when I travel.
Also with 2FA the risk of being permanently locked out of my account increases A LOT.
With a bank or similar I can show up to their office, show my id and reset all access. With websites there is NOBODY responding. I've tried taking over an abandoned project on pypi for which I've done several contributions before the owner disappeared. Never got any response.
So losing the keys means that I have to fork my own project :D
I have a hardware key for the 2FA on my meagre open source libraries, it takes 10 seconds to pull it out of my pocket and use it. Why is that a bad thing if it's enforced? It seems more like you have a UX problem here, there's solid open source TOTP software that come with browser extensions and are one click to use. SMS only can be a pain but many companies are moving away from that, albeit slowly.