2FA+password could be a solution in the future but it's much more complex from an engineering standpoint. Initially on Steemit.com you could simply set your own password, but we had to disable this. Many users had guessable passwords like password and got compromised. Then we raised the requirement to 16 characters; users were not happy, and it still wasn't enough. E.g. passwordpassword. Generally speaking, if you can remember your private key (password), then it's not secure.