IMO signing with an extension or nsecbunker would be best.  I think there's a NIP for HTTP auth using Nostr.

The 2FA scheme with npub+DM makes sense to me.  It's an extra step to log in, but it would work with whatever Nostr client the user is familiar with already.

Easiest flow would have the DM give a link that authenticates and redirects to the home page of nostr.build, so the user doesn't have to copy-paste or remember a one-time code.