Why are we not already using the equivalent of an RSA token for authentication on the web? Of course, the physical token is replaced with a software app on your computer or mobile device. Is there something about the physical device that cannot be replicated in software?
If some malware gets to your phone or computer, sniffs the password and steals the keyfile it's over. There're no other options but to immediately revoke the key. Hardware security tokens are specifically meant to mitigate this issue.
Otherwise, there're many software implementations out there. Your browser should already have one (search for HTTPS client certificate authentication), although it's not universal due to some X.509 PKI architecture constraints.
