The reason I want to use 2FA is simple. Users are not able to choose a secure password and store it in a safe way. Therefore the "something they know" aspect isnt safe enough in my oppinion. Something they have, their mobile phone is much more likely to be kept secure, and disabled if stolen.

There are no banks in Norway that does not use 2FA, most uses tokens, but as a free service this is unlikely. Some other banks i Norway uses pre defined passwords that you get in the mail on a paper, and some uses one time passwords sent to your mobile phone.
As I wrote I plan to add YubiKey support for users that want to buy one, but for the rest I need an alternative method.

My website has offcorse a valid certificate but this does not help me identifying the users. A client certificate is an option, but I still have a problem issuing theese. They are also unpratical because my service will be used from all the users locations. Home, work and probaly computers that don't belong to them.