"Two-factor
...
These devices can be expensive ... "
This is not true at all (the expensive part). The hardware component for setting up two-factor auth for users is effectively free if your users have smart phones (i.e. Google Authenticator and equivalents). Honestly, users that don't probably have smart phones probably aren't going to use two-factor auth anyway.
Similarly the server software side isn't that complicated to implement either. In my experience with implementing it, most of the complexity is in handling emergency codes for resets as implementing the TOTP/HOTP parts are pretty straight forward.
I remember hearing that single purpose two-factor hardware token (i.e. something like those RSA SecurID keychains) are on the order of $5-10 per user (was a couple years ago, price is probably lower now). If you're dealing with less sophisticated users but the cost of compromising a user's account is high (ex: you're a financial institution) then I think that price is well worth it.
Many companies still charge $50/user/year for two-factor authentication (Wells Fargo wanted to charge me $180/year for it) and even programs that use smartphones can be expensive. What you're suggesting is that companies do it in-house, which is possible with a sophisticated IT department, but still takes significant time (cost) to implement and manage.
You're right that this technology is getting much better, but cost is still a barrier to entry for this space.
I'm a programmer and it took me about an hour to implement and test a basic Two-Factor authentication algorithm using Google Authenticator. That includes creating the QR code, creating the secret string and calculate the current one time password. If you have a decent programmer for your web application then the one time cost involved is very minimal for the benefit that it provides.
This is not true at all (the expensive part). The hardware component for setting up two-factor auth for users is effectively free if your users have smart phones (i.e. Google Authenticator and equivalents). Honestly, users that don't probably have smart phones probably aren't going to use two-factor auth anyway.
Similarly the server software side isn't that complicated to implement either. In my experience with implementing it, most of the complexity is in handling emergency codes for resets as implementing the TOTP/HOTP parts are pretty straight forward.
I remember hearing that single purpose two-factor hardware token (i.e. something like those RSA SecurID keychains) are on the order of $5-10 per user (was a couple years ago, price is probably lower now). If you're dealing with less sophisticated users but the cost of compromising a user's account is high (ex: you're a financial institution) then I think that price is well worth it.