Web services should be relying on passwords because that is a simple means of authentication that users already know and it keeps the services independent from a central identity provider. As we all know passwords alone can't protect us anymore though, so web services need to give their users an option to secure their accounts with a second factor. Thus in a few years I think that two-factor authentication is going to be a standard way of protecting our online accounts.
I really hope no one is going to try to force me to carry a phone around all the time (I only have one with me when I'm expecting a call or planning to call someone myself). Those yubi keys look interesting, but it's still an extra piece of hardware that has to be bought and carried around (and not lost).