Then you'll learn that your username is one that's under attack and that it's even more important to have a strong password. Put some useful documentation on the login page that explains it. What's wrong with that?

2FA and be done with it.

2fa is not magical. It makes an attack require more complexity, but it's not an "and be done with it," solution.

Have you seen how severely 2FA drops the rate of unauthorized accesses? It's incredible. What have you seen that moves you to hedge on the value of 2FA?

For one thing, the SIM swap attack [1]

[1] https://krebsonsecurity.com/tag/sim-swap/

In general, relying on a second factor whose security practices aren't the best, could actually compromise security compared to having a strong and unique password.

I personally wish that more banks would support 2FA authentication using a username/password in combination witH TLS client side certificates.

SIM swap is not scalable. It exists, but the scale of attacks through SIM swap is not even remotely comparable to credential stuffing.

Requires forcing every PC case and laptop sold to have a slot for smart cards. Otherwise it is too inconvenient.

You could just put it in the certificate store on the machine rather than relying on external storage.