Hell yeah! Now we just need to get banks to stop using SMS 2FA and embrace an open 2FA standard like TOTP and our money (!!) will finally be almost as secure as our Facebook accounts have been for 5 years...
Instead banks should use WebAuthn. WebAuthn's credentials are directly bound to the DNS name. So anything that involves fooling the human like a phishing site can't work. The only site your authenticator can give the real-bank.example credentials to is... real-bank.example.
SMS 2FA can also be phished, so TOTP would still be better and WebAuthn is such a complete paradigm shift that it would take many years for banks to implement it. TOTP is so stupidly simple they could roll it out in a month, audits and all.
Not to mention that in order to have a decent WebAuthn experience, you need a Yubikey with NFC, which go for 30-60$ if I remember correctly. Cost of authenticators is why everyone switched away from RSA SecurID.
WebAuthn for relying parties (what the bank is in this scenario) just isn't very hard. And you don't end up with any long term secrets at all, so that makes the security story easier. But I sadly do not expect banks to adopt it anyway.
I don't see what a Yubikey with NFC is getting you here. For a laptop/desktop user any of the Security Key products in an appropriate USB form factor (USB C for some newer laptops otherwise USB A) would be suitable.
The high end phones are or in the case of the iPhone very shortly will be WebAuthn platform authenticators, there's nothing extra to buy. Apple released a video of the pleasant UX journey they want to promote, obviously being Apple it doesn't actually say this would work on non-Apple devices but I use it already so I know it does.
My bank never used SMS as 2FA. They supported mobile signature for… I do not even remember how long, at least 11 years now. TOTP was supported even before that and is phased out in favour of https://www.smart-id.com/
https://breakdev.org/evilginx-2-next-generation-of-phishing-...
Instead banks should use WebAuthn. WebAuthn's credentials are directly bound to the DNS name. So anything that involves fooling the human like a phishing site can't work. The only site your authenticator can give the real-bank.example credentials to is... real-bank.example.