Current phishing technology will successfully emulate all of the simpler approaches. A stage 1 that requires no cooperation between both sides won't work. It is at best an entertaining coffee hour pastime. At worst, people will think that they are actually protecting themselves and behave unsafely out of ignorance. SSL is the only widely implemented mutual cooperation approach that will defeat MIM phishing. (Others exist, but are not widely implemented.)

So you need to decide whether phishing is enough of a problem that you ask everyone to make changes. My proposal is not "no login" it is "no automatic assistance to phishable login". That is more than your stage 1. It does pressure both sides to change. It does not prevent manual login by retyping the password every time.

If your protection needs are so low that phishing protection is not needed, you can offer an equally effective automation using site specific login cookies. Don't pretend that you have security when you don't have security.

For high value transaction, the attacks of today will change into endpoint attacks instead of MIM phishing attacks. You already see some of this as attackers keep advancing. The attacker modifies the browser or OS. It then either gathers information or piggybacks unauthorized transactions on top of valid transactions. SSL does not interfere with these attacks because it protects the transit from browser to server. It does not protect the browser.

Protecting transit is still valuable. The malicious wireless access point is now commonplace in public places like convention centers. It is so cheap that I expect it to remain common because it only takes 1% of the public being foolish to recover the cost to the criminal.