My bank has a fixed 8 digit number as the password, and mandatory SMS 2FA (which is flawed).

They also offer hw token login but you need to buy them and I don't think a relevant percentage of users uses those.