HSBC did this to me as well. The battery had died in my old token so I had to jump through so many hoops as the default assumption seemed to be that the customer would have a working token to set up the 2FA.

To send money over £250, RBS still use hardware card readers for their MFA flow. You put your debit/credit card in the device, entry your normal pin and then a code that is displayed on the website. It's a little inconvenient of you don't have the device with you when you need to send large amounts of money but in general it's great to have rather than SMS.

Of course, I expect that eventually they'll move to SMS too since it's easier for them and more on line with the rest of the industry.

Under the new EU rules 2FA over SMS is not allowed because it is possible to transfer phone numbers to other devices (through social engineering or simply because providers reuse old numbers) and thereby intercept the code. Instead most banks use an authentication app so that 2FA is bound to a single device.

Citation needed?

Some Polish banks definitely allow using SMS as a second-factor.

(And some even let you use a permanent cookie for that. :-O)

They are better. One of my banks offer a hardware token which requires my card to be physically present and for a correct PIN to be entered. The other has an app with push notifications which can be used to approve or deny transactions.

Seriously, switch bank.

Aye, that's what they used to use. Great News! Now I don't have to remember to have my card reader and I can use app, SMS or email to get codes instead. Err WTF? Apparently these changes help protect my accounts from fraud better, or some similar Orwellian doublespeak.

I did wonder if it was some unintended consequence of the EU banking interop changes, but that didn't seem especially convincing. OK, changing bank it is then. At least it's so much easier than it used to be. :)

I hate hardware tokens. Recently got one from my bank. I'm switching banks. I just don't see any advantage over a phone app (plus a phone app can offer better notifications).

Yes, but then it's not 2FA, it's notifications in the app you're probably using for banking, so now it's 1FA.

That's fine for sending £100 to an account already in your list of payees, but to set up a new account, where's the second factor in an app? That, to me, seems a large step backwards.

Well, you need (1) my phone and (2) my fingerprint, so technically it is 2FA. They could easily require (1) my password and (2) my phone, so still 2FA.

2FA is usually fake anyways, there's usually a way to reset stuff with only one factor (e.g. use phone number to reset password, or login with password and change phone number, ... same with PIN), so it's all a misnomer anyways.