A device of any kind isn't good enough (eg. at border crossings or when lost otherwise). Biometrics can be a substitute for a user name but never for a password.
I did write a Whitepaper and Demo: UX for Authenticated & Verified ERC20 Payments Using MetaMask and EthSigUtil.
This can be applied to identity and digital ownership of any property. This solution moves security to the edges; that is, the sole owner of the property holds the keys to sign away their rights to the data through digital signatures.
This removes the need for a central authority entirely.
Most sites are either high enough value that they should do the hard things, or they should outsource identification in some way. It is ridiculous that low-value sites use passwords, especially where cookies by themselves would suffice.
Sure, outsourcing is tricky, but apparently so are passwords? One failure mode it doesn't have is "a bunch of passwords got pwned and my company is at fault".
I do agree that the current schemes such as OAuth2 have odious implications. I don't think that the design space is completely explored, however. By relying solely on emailed and browser-stored tokens with judicious lifetimes, a site could outsource to email providers in a pretty secure way.
