Problem mainly solveable using standards
Having to remember and input passwords makes any online system depending upon these weak.
The banks have (largely) solved this by giving everyone a uniquely keyed device with a trivial secret needed with it (chip and pin) and issuing all merchants with a device it plugs into. Something you have and something you know. A standard intended to be usable by any number of servers and users for any number of applications has to be able to do at least as good as this. Initially I think it will be an application run on mobile phones which have the standards compliant embedded crypto chip which can sign stuff or one time entry tokens as you. Those wanting a device which hasn't got other (non security) applications will be able to find such on the open market once the API and network standards etc are well enough defined. Goes without saying these devices should be able to talk securely over Wifi, USB and Bluetooth - mobile phone apps already do. Maybe the SIM card could have some useful crypto extras standardised for this.
If you want better than something you know and something you have, then not too difficult to add a fingerprint reader - something you are, but knowledge of your biometric used to unlock your device need be known only by the user and the security device the biometric unlocks.
The obvious userid is any email address which can be routed to message the security device. No harm and much benefit in having more than one which a security device can sign for. The obvious PKI where certificates for such device keys should be stored and found is DNSSEC.
No such solution will ever be perfect. Questions to ask about new proposed solutions like this are whether it is usable, affordable, open to all developers, and better than what was used for this purpose previously.