Might as well use client certificates at that point. Along with TFA, if we don't have users choose passwords, then just issue a client cert and have it installed in the browser, would probably require some new web standard.