well my last post was just to inform that giving a privkey to a website is risky, even if un-used for funding, that website can keep the privkey and then invade other websites. (phishing tactic)

the message signing is not risky as no privkey is handed over and each time you log in the random message you have to sign will be different, kind of like a 'captcha' and a address validation message all rolled into one.

but whether its practical... well heres some flaws
1. average joe has no client app, and only uses blockchain.info or a webwallet. the webwallet needs signature verification.. but he cant sign a message until he gets into his wallet to play with the features inside the webwallet..
2. requires a wallet app on average joes computer, meaning people dont just type in username and password, thy have to open their wallet client click a couple buttons to get to the 'sign message' feature and then type in the 'captcha' to sign it before pasting it back in. this can seem more secure, yet more complex than just receiving a email with a 6-8 digit code (email 2FA)

maybe the solution is having options
1factor logon: username and password
2factor login: username and password + (email/google authenticator)
3factor login: username and password + (email/google authenticator) + address message signing

where novices playing  with under $50 can 'risk' 1 factor, and those with larger amounts can decide which level of security they want dependant on laziness, amount they wish to be secure, paranoia, etc