However, last this was discussed, the Fedora AAA system(s) did not (yet?) support the full fido2/webauthn/passkey functionality, so at this time such full integration is just a dream(*).
You don't have to be a provenpackager to be able to do serious damage; you just need to maintain one package that's installed by a sufficiently-interesting quantity of Fedora users. In the long run, we should be moving to require WebAuthn for all Fedora authentication-related purposes, since it's unphishable. Last year I entered my GitHub password into a phishing page that was proxying the real GitHub... if the evil page had gone to just slightly more effort, it could have easily intercepted a simple TOTP/HOTP challenge. This is not possible with WebAuthn, which I would say actually is pretty much equivalent to a security magic bullet.
That said, I say this keenly aware that WebKitGTK doesn't support WebAuthn yet, and I would be interacting with Fedora packaging a lot less if I couldn't use my normal web browser. And anybody who isn't willing to buy a security key wouldn't be able to contribute to Fedora at all.
But webauthn and 2FA only stops someone else from compromising my account, it would probably be easier to join and become a packager by packaging a random leaf package no one would use, then as a packager pick up an random orphaned package that's in the core distro and then just compromise the distro that way TBH. 2FA won't stop that as they can just setup an actual 2FA token for their packaging account.