Sites that do ask for extra info (Mother's maiden name type of thing) are protected against this, but there are an awful lot of sites that never ask you for anything but an email address and a password when signing up.
You wouldn't even need to make it only work for a single login. Let it live for a year or forever. Automate the bookmark procedure for them as well, so their bookmark for your site (https, of course) would automatically log them in, as it would contain a very large random string that identifies them. For extra points on sensitive sites, tie that random string to their IP address, so it only works from the IP address they were at when they first clicked it. If they click it from a new IP address, an email is sent, asking permission to whitelist that IP address for them as well.
The "something you have" only really works as an additional authentication factor to the "something you know" of the passwords.
If you leave browsers logged in, it might be a little more so, but still, I want to log in now. Not in a half an hour after the email works its way through my company's spam filters.