I agree. Even "bad" 2FA (e.g. SMS) is better than nothing in this case. However, I suspect some would complain about needing to give a telephone number to use their new camera.
I think it would be completely reasonable to bundle one of those Bluetooth-based U2F tokens and to require that to be around when you want to access the camera remotely.
To add new tokens to your account, you would have to place them on top of the camera, or something.
This makes the attack described in the article basically impossible, and lets the camera vendor sell you tokens if you have multiple family members that want to log in. A win-win!
Have forced 2fa through e-mail for new device/ip location more than X miles away. Users rarely login from a new device, or randomly login from a different country. Tagging those as suspicious and making the user get a code from their email is simple and goes a long way in increasing security with minimal annoyance.
Method wise, you are correct. However, forcing all the users to adopt a new password creation paradigm will statistically make this a very small issue.
I kind of doubt it. People will use the same password on every website, and if you require it to be 4 words, they'll just make it "my password is password" or something. Password requirements don't improve password security. Reuse and phishing are always going to be the main problem.
(Of course, bad passwords are bad. One time I exposed a mysql database I use for local unit tests to the Internet with the credentials root:test. It was hacked in hours, with a message saying where to send bitcoins to get the database back. Slightly stronger passwords do help with that sort of thing.)
If you still use it on multiple sites, and one of those sites is storing it in plaintext, you'll still have the same security issue. Its very rare that someone has broken a password through character-by-character brute force.