Yes, if you don't control the hardware at the user's end, the only factor you can get is "something you know".

All the things around improving web authentication are just about people not having to memorize that something you know and protecting it against eavesdroppers.