The
other answers touch on why having two - factor
auth or some
other additional system is not worth it compared to simple reactive systems (cancelling lost cards, reversing fraudulent charges etc), but it should also be noted that this goal can be achieved with a method similar to what you describe.