"But we're stuck with passwords for the foreseeable future."
Not because we want to but because massive monolithic suppliers like NGA and Capita are not going to develop their ancient yet essential products to support new authentication processes. They barely cope with username/pwd as it is.
And the banks will do anything to avoid spending money as well. Fines will probably be cheaper than redeveloping their websites