I use passkeys where I can, including on this forum, and honestly that is still the best direction I have seen so far.
The reason I do not think “password 1 + password 2” is the answer is that it is still the same factor twice. It is still just “something you know.” If a person gets phished, keylogged, shoulder-surfed, socially engineered, or tricked into typing both, then the second password did not really save them. It adds friction, but not a different kind of proof. To me that is the core problem with the idea.
Passkeys make more sense because they change the model. You are not just typing more secrets into a box. The login is tied to the real site and approved with a key pair, which is why they are so much stronger against phishing than normal passwords. From the user side they are also a lot less annoying when they are implemented properly. That matters, because security that is miserable to use usually gets worked around or ignored.
Where I think the discussion gets more interesting is the part about what should happen when passkeys are not available or when a site wants a stronger step-up check. In that case, I actually think something closer to how MitID works in Denmark is a much better model than email codes or SMS. Not because government ID systems should be copied blindly everywhere, but because the flow itself is better: you start the login on one device, then approve it in a separate trusted app, often by scanning a QR code and clearly seeing what you are approving. That is a lot cleaner than “we sent a code to your email” or “hope your phone number still works today.”
Steam’s QR login is another good example of the same basic idea. You try to sign in on the PC, scan the QR code with the Steam mobile app, approve it on the device already linked to your account, and you are in. That is a far better experience than juggling email codes, and it is also better than pretending two typed passwords is some major leap forward.
So if you ask me, the best path is not inventing a new secret for people to memorize. It is:
passkeys wherever possible,
QR/app approval as the next best option,
recovery codes stored safely offline for when things go wrong,
and email/SMS only as a last-resort fallback.
As for the “invisible” side of security, I do think you are onto something there, just not with the login secret itself. The invisible part should be things like session checks, unusual-login detection, rate limits, impossible-travel flags, device reputation, and good logging that helps catch abuse without making normal users jump through hoops every single time. That is where invisible security actually shines.
So overall, I agree with the frustration, especially with weak email-based 2FA and SMS nonsense. But I do not think a second password is really better 2FA. I think passkeys are the best answer we currently have for normal users, and flows like MitID or Steam QR approval are probably the best examples of how to handle the “step-up” part without turning login into a circus.
