(1) To set up my 2-factor login, I send you a string of 260 symbols, to be interpreted as a passcard with 10 rows (0-9) and 26 columns (A-Z).
relies on sending the one time pad to the user, which evil eavesdropper could intercept and use to login from that point on.
this is the problem with a shared secret, and why public key cryptography, which allows a shared secret to be securely exchanged between two parties without an eavesdropper being able to determine it, is used nowadays.
The more secure cryptographic equivalent of your idea is to issue the user a client certificate, and for them to store this client certificate in a secure password protected certificate store. I think one exchange is doing this already.
Will