> So you are ok with 2FA, right?

Yes. Are you not? It's one of the most effective measures to prevent a whole class of supply chain attacks. On Github the 2FA is also flexible enough to allow non-hardware passkeys, so you can choose a privacy preserving option with good UX.