[wmf]

Any password that you give out will be stolen; that's why "let's have a special secondary password" doesn't solve much. There are now passwordless ways to authenticate, authorize, prove identity, make payments, etc. so that's what we should be suggesting.

[ctpide]

Apple Pay is technically trying to solve this problem by providing one-time authentication keys for a specific transaction at time of payment. This sort of key can not be reused in another transaction... What exactly do you mean with other passwordless ways?

[wmf]

Basically OAuth, which allows you to prove to one site (e.g. a merchant) that you have an account at another site (e.g. a bank in this case). http://designingsocialinterfaces.com/patterns/The_Password_A...