The raw truth of it is that a massive number of people reuse passwords that have been leaked in any of the hundreds of data breaches which have occured over the years. Passwords are simply not a secure form of authentication in $CURRENTYEAR. What are the alternatives?
Fancy stuff like smartcards for TLS client certificate authentication is not really an option because support by browser is horrendous.
This leaves you with TOTP as a second factor and push notifications.
I recently started to see websites with no authentication mechanism. You declare your identity and you receive an email with the next instructions (either a temporary link to log you in, or a random string to paste in the login form).
That last authentication method is my current favorite, but it has some privacy drawbacks, because it requires the user to disclose an email address. On the other hand, SourceHut is already heavily oriented toward an email workflow, so this might not be a problem.