> Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app.

This is exactly like having a physical token with you. If it gets stolen, they have the tokens. But, at least, having token on the phone app is waymore convenient for customers and also has another layer of protection (think of the fingerprint/passcode ecc you need to access your phone)

Over here in EU land the mobile identifier app is pin protected. Think Google Authenticator but with a pin to access the tokens.

You need my phone unlocked and my six digit pin in order to identify as me.

There are still possible social engineering attacks, though.

Yes, I actually am in EU land myself, and I forgot about that

I don't think having 2FA in phone app is pointless. It's still second factor, if someone got to your bank account. They need to get access to that 2FA app as well. And of course you protect that app with password/ping. Do you know of cases when 2FA app was defeated when someone stole money from bank account?

What I mean is that if a user has access to my bank mobile app on my phone, they also have access to the Google Authenticator app. With Lloyds, the app is locked by finger print or password which in this particular scenario is actually more secure.

The phone 2fa app asks you to verify the action, and you input your PIN.

My banks hardware token also needs a PIN before it generates a one-time code.

Some bank tokens just give you the code when you press a button, though. Those, you have to worry if stolen.

>Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app.

Can't you just lock the stolen phone?