alt Hacker NewsPinning, escrowing, and trailing all help, but I'm not sure "this step will be eliminated" is inevitable.
Package manager ecosystems are highly centralized. npm.org could require MFA (or rate limit, or email verification, or whatever) and most packagers would gripe but go along with this. A minority would look for npm competitors that didn't have this requirement, and another minority would hack/automate MFA and remove the added security, but the majority of folks would benefit from a centralized requirement of this sort.
Let me rephrase - manual security verification is a velocity blocker. People won't do manual security verification of changes.
I agree that npm.org requiring MFA is a good idea in general and in this case.