In the Netherlands we used to have dongles or card-readers for all online banking but we are now downgrading to apps, 5-digit number codes and 2FA without an external device. This is all for ease of use but I think from a security standpoint it's not the right direction to go. For instance, in an app you can't view the certificate and wether or not the connection is secure. If you are in a foreign country with dubious leadership it could be hijacked using a rogue SIM-card or some dictator driven root CA (looking at you Kazakhstan).
The worst offender is ING, you can set a payment limit in the app but then you can also change the payment limit in the app itself. If I take a nap on the train, you can drain my bank account my pressing my thumb on the reader.
The worst offender is ING, you can set a payment limit in the app but then you can also change the payment limit in the app itself. If I take a nap on the train, you can drain my bank account my pressing my thumb on the reader.