Why is NPM getting rid of TOTP as 2FA authentication method?

Does NPM require MFA to be used?

If so I could understand this (although there are certainly arguments to have had about it). But if they allow accounts without MFA then this would seem counterproductive, because while TOTP has issues it's a lot better than nothing.