In the UK there appears to be a law which requires the “calculator style” thingy for all business accounts, for setting up a new payee.
At least some banks use it for all logins, which is irritating (and pointless, from the robbery POV) because you have to carry it with you on holiday, or leave it with someone you trust who can generate the code for you.
IMHO this is an example of “anything” being solvable by extra misery for the user. For example one UK bank I started with a couple of years ago froze your account and any other account you had with them e.g. your business account if you accessed them from a non-UK IP. It doesn’t take an MBA from the University of Upper Warlingham (the usual career progression prerequisite today) to realise that you will discover this when you are on holiday! I kicked up a huge stink over this and they told me this is standard but they remove it if somebody complains. I have several UK-terminated VPNs for this and other reasons but that is beyond most people’s tech expertise (or the desire to waste their life on).
As I’ve written before, the nastiest fraud, and easy to do, is the “here are our new bank details” fake email.
