I would suggest user+pass by default, email 2FA or RFC6238 for extra security. Both the server operator and the client user should have the option of forcing the one-time pass, every attempt or every attempt from an unknown IP. These preferences would be stored serverside.
The client should never send or store a raw password, only an encrypted password hash and/or session token.
~Max