[OJFord]

They (as seems to be standard) ask you to enter 3 characters in positions of their choosing, so they need plaintext to be able to do that.

It's clearly not as secure as it could be, and it's annoying to work out too - I wish they'd just do normal 2FA. Those plastic keyfobs HSBC use are even worse.

[tsukikage]

This approach is geared at telephone banking. It means no single employee will learn the entire secret during a call. You generally have a regular password in addition to this step.

[OJFord]

Why can't I tell a bank employee a time-based 2FA code over the telephone?

[IshKebab]

I like the plastic keyfobs. They're much more secure than using your phone as 2FA. Basically the only thing keeping HSBC/1st direct secure.

[city41]

How are they more secure than your phone? If by phone you mean SMS, then I agree. But as far as I understand, TOTP (ie Google Authenticator) is pretty secure. But I'm not a security expert.

[ekimekim]

This is getting into very marginal territory, but attack surface. Your phone is an entire network-capable OS with god-knows what security vulns or backdoors. Those dongles are an air-gapped, often tamper-resistant chip.

For the record, I think services should ideally offer all three options (SMS, TOTP and physical device), since the biggest problem in security is actually getting users to use ANYTHING at all, and something like SMS that offers 99% of the protection in return for easier setup/ease of use is well worth it.

[MertsA]

The plastic key fob is totally isolated from any network. If your phone was isolated like this you would need a new phone. Google Authenticator can be cloned if you compromise the device. A plastic key fob that has no input is for all practical purposes impossible to clone and if it's stolen it can be easily revoked.

[OJFord]

I'm not convinced they're more secure, but they're most certainly a UX nightmare.