We run general purpose computers. Can't we trust our own operating systems enough to think they might store a couple bits of secretish data? If not, what good is any encryption since the attackers get every session key anyway? (not to mention the keylogger with the raw password and the memory debugger that sees every block encrypted and decrypted)
The only thing a dongle provides is certainty that another computer can't impersonate a fully compromised device without the dongle. Of course, dongle-failure could very well lock you out of your own services. (and with a back-door in place, session hijacking is very possible)
Many sites, like gmail for example, require "registering" each new device via phone IM or pre-shared key. This happens after password success. Secret keys are then created and stored as securely as the device is maintained. Only if the device is deeply compromised will they be stolen.
If we create a landscape where 90% of computers AREN'T compromised thoroughly this really isn't that horrible. Throw in a bit of geo-location and email warnings about every interesting event (password change, new device registration, stale device login, Computer moved to Ukraine) and really things aren't all that bleak especially for services used every day or even once a week.
Then of course, there's cracking down on IP's and ISP's generating compromising packets, but that's a whole other subject.
See: 18 U.S. Code 2701 - Unlawful access to stored communications