The SSO/YOLO will be here, we're lazy humans. So I need:
First level with a day use password, easy to "read", some "write" ability.
Second level an "elevated" privileges of the account etc. must have high barrier of entry, different password, call-me-in-person back to verify (not automated though like 2-step verification), single use codes etc. Some execute this when logging from a new device. That's good but not enough.
E.g. I want to check my bank account - "daily use". I want to conduct transfers or change password - "elevated" and hence much tougher authentication.
This way if my first SSO/YOLO gets broken in I could wipe out all the other password accounts in one step with my "elevated" and unbroken password that is not a YOLO. Yes this may not be convenient to execute but hopefully it does not happen very often?
On the other hand 2 step verification every time I use something is too annoying...