Because once the keys are generated and stored on the user side, and likelihood of their compromising is much higher than the one-time code generated repeatedly by a certain algorithm.
I think that for secure all means are good, and service need provide users ability to use all of them, for example, in realization one project we using digital pin+ master password, two-factor authentication and multisig, and it really safe