Not worth much
I used to work for a bank where 20 years ago we rolled out two factor login for our high net worth clients.The clients hated it. Our client reps hated us for it. In about a year we had disabled it for the 90% plus clients who didn't want the extra hassle. And we, or most importantly our clients suffered very few losses as a result..... in fact there were none for at least the next decade. Simpler times, and hopefully it's back now.
Two factor auth is a hassle but it works. In comparison password complexity really doesn't mater hugely in the scheme of things. It doesn't help if the attack is a keyboard logger, or if the password is reused by the client on other sites that store it unhashed. Even if it is hashed experience shows password complexity is normally interpreted as having the first letter capitalised and the digit "one" appended so is pretty easy to brute force. What it does best is make the client forget their password, and have it reset by giving their favourite colour or first pets name and getting a reset link mailed to them via insecure email.