Google has been pushing Fido U2F alongside their Advanced Protection scheme. I was a beta tester of this stuff years ago and I'm generally impressed. The ten-second summary is that the U2F gadget interacts with your browser and does some sort of public key crypto on a per-website basis, so there's no credential that one web site can get that's useful for attacking you on another website.

The banking world hasn't adopted it at all, so far as I can tell, but they really should.