Isn't this more secure than having nothing? There is a large additional cost to the wrongdoers in that they have to get close to you (even if they know your home address, how do they know you and your phone are home). Seems like a deterrent when you could be running credit card phishing sites for less work per victim. And you would still get the intercepted text, the ones I get from my bank in Australia suggest if you didn't request the token to contact them immediately.

The old alternative in Germany was that you had a piece of paper with numbers on them. So it absolutely may be a step backward.

My bank (Landesbank BW) gives you hardware (looking a little like a calculator) where you for example type in the bank-number of a person to whom you send money and then it'll calculate some PIN for that action.

I might add, that the numbers were indexed and the banking software was requesting a random TAN. This was called iTAN.

We had both (both the original TAN list where every number could be used just once and invalidated all previous numbers on the list and the iTan system).

I prefer the token thingy my bank gave me. Insert your direct debit card, enter two numbers from the screen (usually corresponding to your transaction in some way, to confirm _again_ that you're really trying to send money to account X) and generate the TAN. Done.