Ignorant american question... in not-in-person transactions, how do they make sure that the one time code/ certificate goes to John, not just someone claiming to be John? Is there some centralized password issuer/validator that can only be reset in person?
Here in Austria there is a free phone app (Handysignatur) that allows you to authenticate to a variety of services. It's a two factor system, so someone would need to steal both your phone and your password to impersonate you. For initial activation, you need to go to a government office and show your passport to verify your identity.
It's mostly used to log into government services, but you can also use it to digitally sign arbitrary PDFs.
Banks have their own system where you need an app from the bank to confirm your identity when logging into your bank account or to authorize payments.
As far as I know, identity theft is really not much of an issue here. The biggest weakness is phishing (eg. people could call and pretending to work for your bank, asking to you to confirm something on your phone app)
Here in Germany you either get some username and password in person, setup an app for 2FA, or sometimes you get two different letters (one with the username and another one with the password). I guess so that it is slightly more difficult to intercept both.
For a few services if you forget the password you get the letters again.
