(1) To set up my 2-factor login, I send you a string of 260 symbols, to be interpreted as a passcard with 10 rows (0-9) and 26 columns (A-Z).
relies on sending the one time pad to the user, which evil eavesdropper could intercept and use to login from that point on.
this is the problem with a shared secret, and why public key cryptography, which allows a shared secret to be securely exchanged between two parties without an eavesdropper being able to determine it, is used nowadays.
The more secure cryptographic equivalent of your idea is to issue the user a client certificate, and for them to store this client certificate in a secure password protected certificate store. I think one exchange is doing this already.
Will
True, this does not provide a 100% secure alternative. It is a quick-n-dirty alternative that provides a little less than 100% of the value, in exchange for a lot of practical benefits.
Maybe it shouldn't be called 2-factor authentication, to avoid any possible confusion. Maybe it should just be called something generic, like "extra password protection", with no theoretical guarantees. (*)
I do think the benefits are significant though, since almost all break-in attempts will occur afterwards. The fact that some 15-year old h4ckzorz in Minsk can't be taking pot-shots at your account password seems to be worth something...
(*) "In theory, there's no difference between theory and practice. In practice, there is."