As I understand it, the thing with "click the number" codes is that it is a protection against keyloggers. The numbers are usually scrambled and when you click on it, you don't send the code but the position of the numbers you clicked. So for someone to get your code, you need both a screen capture and the position of mouse clicks.
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.
Yup, keylogger defense. I've seen a system with a full virtual keyboard to let you type anything without hitting a key--explicitly as a security measure. Fixed keyboard, though, I've never seen one with randomized targets. Capturing everything would be an awful lot of data for malware to export so I don't think screen capture is much of a risk.
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.