2FA helps ensure your package
is under your control and still *is* your package, but how does it help with typosquatting?
Unless, perhaps, each "critical" package also has packages with all the close-match typos auto-generated (these containing whatever is the equivalent of "this package deliberately left blank") and also put under your 2FA? Wild guess, that isn't happening..