It is all bananas. The old way with a local key on the computer and some silly Java program, a physical dongle to validate transactions with a number printed on a display, was way more fool proof.
Then the banks wanted you to use the dongle to verify yourself on phone and it all went downhill from there.
Then the banks wanted you to use the dongle to verify yourself on phone and it all went downhill from there.