I won't lie but I lost you in the steps mentioned here. Finally, IMO, people just want auto-fill/auto-logged in instances without having to enter OTP/type password/do 2FA etc. No matter how you slice it, that's the way people want. Now, how do I compress all these requirements within the boundaries of what is acceptable as a provable source of identity, it becomes a harder problem than you describe.

PS: I have worked in computer security and I am drunk. Eat your salt