Ha. Perfect. That is exactly what I was imagining. Apologies for the long conversation.

Do you have any idea why this is not popular? Is it too hard to implement or is it just that business's do not see security as something to invest a lot in?

Most major SaaS apps support it, the major hardware provider I see recommended is yubikey although Google makes one as well. See also U2f. It's super easy to implement, try it out for yourself in Flask.

https://www.yubico.com/solutions/fido-u2f/

https://cloud.google.com/titan-security-key/

https://github.com/herrjemand/flask-fido-u2f

U2F is the legacy protocol, you should refer people to it's successor WebAuthn (and the FIDO2 hardware):

https://webauthn.guide/ for an intro

https://www.w3.org/TR/webauthn/ for the JS API

That website is very bad at conveying what it actually is to someone that might want to use it.

Indeed. I spent 10 or 15 minutes trying to figure out if they are selling a physical device, like a usb 'key' or are just selling 2 factor authentication with mobile phones. And I'm still none the wiser. It's pages upon pages of buzzwords and nonsense.

That's because it's not either-or. Read more slowly, it's a wide-ranging spec and there are many different implementations/extensions.