What always makes me sad is that the tech, even relatively standardized, has been available more or less forever to do things nice and robustly. Certificate-based authentication is markedly harder to defeat than any password(it’s basically at the ‘try to steal the private key of an SSLed website’ level of challenge); and the hardware for storing them securely and keeping them off a potentially compromised local filesystem(you can do certificate authentication that way, as well, and it’s still better than passwords; but if your system is compromised you are pretty screwed) is quite cheap. SIM cards do pretty much exactly this all the time for maybe $1/unit, probably less in quantity.
There is some limited adoption(in the US, CACs are standard on the DoD side, PIVs common but less ubiquitous for civilian applications; and some governments have implemented similar things in national ID cards), and you can buy a YubiKey or something if you want a handy USB-attached DIY option; but good luck getting most websites to care.
Even things like banking and brokerage accounts often take some arm-twisting to get a basic RSA-fob style authenticator, rather than some goofy SMS-based ‘2nd factor’, and those have real money on the line.
