All your excellent examples will dwarf mine, but I'll still tell it as a very cheap medium:
When I was at Fortis Luxembourg, the bank gave me a passive token: A card with a few dozen digits on it. At each login it would request 3 of those along with the password.
The key point of this is, it never transmitted the full key over the wire. So someone who intercepted the communication could never rebuild my full password.
Cost for the bank? A few cents. Security? The best I ever had from banks.
I'm baffled. In Germany, the chipTAN method [1] [2] is pretty standard, which uses the bank card as a cryptographic element. And usually, German IT seems to be years behind the industry standard (e.g. I don't know a popular German e-mail provider that offers 2FA.)
[Edit] This is the best thing about chipTAN: Even if the computer is subverted by a trojan, or if a man-in-the-middle attack occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid. [/Edit]
So the chipTAN generator reads the details of the transaction optically, and then you just confirm them ?
Pretty clever. On my chipTAN (Belgium, ING) I have to enter the number by hand (part of the account# of recipient, amount).
On the positive side mine does ask for a PIN before generating the TAN, so is probably a bit more secure (balanced with a wear of the keys on the TAN generator, of course - so it is arguable which one is better)
Unfortunately, that sort of static information frequently is targeted for phishing. The bank can keep telling people that they will never ask for all the codes at once, but some subset of customers will happily comply with such a request in a badly written email.
Mind you, dynamic 2FA frequently only narrows the time window in which phishing is effective. Even with transaction-based 2FA, you'd need people to actually read the text message the bank sends them with the transaction authorisation code.
All your excellent examples will dwarf mine, but I'll still tell it as a very cheap medium:
When I was at Fortis Luxembourg, the bank gave me a passive token: A card with a few dozen digits on it. At each login it would request 3 of those along with the password.
The key point of this is, it never transmitted the full key over the wire. So someone who intercepted the communication could never rebuild my full password.
Cost for the bank? A few cents. Security? The best I ever had from banks.