Everything should be two factor password system with one being a token/phone/pc,
No thank you. I'd like to be able access things like webmail without a token. The reason I'm using webmail in the first place is usually that I don't have my phone or laptop with me. And the last thing I want is a token that can never leave my side, and that upon being lost or damaged locks me out of everything everywhere.
Additionally, I dont' want to give all these entities my cell phone number. (A common identifier that can be used to tie multiple otherwise disconnected accounts together; that ties me to a geolocation, a real identity and even payment information -- unless i go to steps like carrying around a dedicated burner phone.)
I simply don't care to hand them all that information; especially since their marketing deparments treat it as a gold mine.
And if I'm not using a phone as my token... I definitely don't want to carry around a bag of RSA dongles.
the second one should be a short, (no more than 6 symobls - including every key on a standard keyboard
a) Whose standard keyboard? Not everyone speaks US english or uses a US english keyboard.
b) Why limit it to 6 characters? None of my passwords are that short. And at 6 symbols your are into easy "over the shoulder" password theft territory.
"Aha! But they won't have the token!" you'll counter.
Aha nothing! many of the people who might steal my password over my shoulder would be able to get access to my phone too. Coworkers, roomates, the pickpocket at the restaurant, bar, or checkout line...)
Each authenticated resource has a different risk profile, and merits different levels of protection. The registrar account holding our domains and our investment accounts needs a lot more security than a logon at slashdot. The same rules for both don't even make sense.
I certainly don't want a dongle for /. and I don't care to give dice my phone number either; nor have to deal with 2 factor to login to /.
Passwords (and authentication in generall) is a complicated problem. And standardizing electronic authentication is as absurd as standardizing physical authentication. (Can you imagine how absurd you'd look declaring that everything from your luggage to the bank vault should use the same type of key to open the lock?)