Passkeys - no need for hardware key.

They have it implemented.

I created NPM account today and added passkey from my laptop and hardware key as secondary. As I have it configured it asked my for it while publishing my test package.

So the guy either had TOTP or just the pw.

Seems like should be easy to implement enforcement.