Like, it was way better.
I use a hardware thingy that I put my Dutch bank card into that generates numbers for logins and purchases. I have the option of using an app or the hardware card reader.
I use a one time generating password hardware keyfob to login to the Dutch Belastingdienst. They require it and I don't think there is an app I can use for this purpose.
Danish banks, because they use the national MitID authorisation, accept MFA via app, code generator, or a chip device:
https://www.mitid.dk/en-gb/get-started-with-mitid/mitid-auth...
I'm confused, that seems like it confuses two independent aspects:
1. Whether the TOTP code comes from a fob-device versus a phone-device.
2. Whether some interactive interface you're using gives you a chance to see/confirm what you're about to authorize or not.
A phone app can lie to you about the transaction you're about to authorize regardless of whether the TOTP code was transcribed from an external device, transcribed from another app on the same phone, or auto-filled by itself.
The threat model is: malicious actor posing as the bank website, but legitimate keyfob or legitimate app. With the keyfob, the website intercepts a valid password and a valid 2FA code; with the app, nothing happens because it doesn't receive push data from the true bank.
I hope it is more clear now!
