With ssh the situation is quite good, and it should serve as an example on "how to do it right".
I find web services to be a huge pain, though: Obviously most don't offer any kind of 2FA, or maybe Google Authenticator or SMS at best (which means those websites must be so bad that people don't login to it on their phone?). But even those who do "proper" 2FA often will only allow a single U2F token - and enforce GA, SMS or a secondary email as fallback.
(Putting this rant here so maybe a webdev or even two do it better the next time they do some auth stuff ;-))
