Revisiting this some time after the fact, this is still an asinine idea. It's pointless and an unnecessary headache, as a bad actor could simply login using stolen/leaked profile credentials, generate a new token, and use it to his/her heart's content and the actual profile owner would be none-the-wiser.
Pfft...and HF actually had the nerve to ask folks in a poll why they avoid their site in favor of GitHub, CivitAI, and the like. Making stupid decisions that needless inconvenience its users would be pretty high on the list I imagine.