There are two such methods left in Germany, chipTAN and photoTAN which (can) use seperate, external generator devices which you can buy. If you have multiple banks however, like I do, it's mixn'match. The last method left is smsTAN, which is insecure by default, and it's the first being phased out right now.
The move towards more elaborate TAN setups is due to PSD2 EU regulations; banks usually choose the way their lawyers deem watertight and product management considers acceptable in terms of cost, although especially on the lawyer side, interpretations of current law still differ. Which results in different PIN/TAN flows even between the major players at the moment.
In many countries, all banks are moving towards apps that require Google Play Services and passing Safety Net. (And a diverse ecosystem of "credit unions" is a USA-specific thing.) Banks are phasing out other means of 2FA like code cards or code calculators, and expecting all customers to have an Android or Apple phone.
I’m not sure credit unions’ tech is diverse, anyway. I’ve noticed some of their online banking sites look like different themes of the same software. So it wouldn’t surprise me if the apps are the same, so eventually the base vendor will push SafetyNet or w/e and all credit union apps will then require it.
That's obviously a stupid move by those banks. And if you think so too, you should point it out to them. Your bank is unlikely to read HN (hah!), but they are commercial institutions and some of them might even listen to their customers.
No, this was actually a pretty reasonable and expected move on the part of the banks. They realized that providing code cards or code calculators to customers represented a expense that very few customers in our modern age were taking advantage of, and so they discontinued those programs. I love my LineageOS Android phone and I also own a PinePhone now, but come on, let's be reasonable and admit that we are so tiny a minority of customers that we don’t matter to banks.
Sure, it's an expense, but it's one that provides actual security. Instead of this "it runs on a phone and google says it's secure"-nonsense. Banks know people's phones rarely get updated.
When I started using online banking in what must have been 1997 or so, I accessed the bank using a browser, client side certificate and a passphrase. It seems like ever since then, security has steadily declined in favour of "ease of use". Which rubs me the wrong way, because we really should have increased the ease of use of security instead!
The move towards more elaborate TAN setups is due to PSD2 EU regulations; banks usually choose the way their lawyers deem watertight and product management considers acceptable in terms of cost, although especially on the lawyer side, interpretations of current law still differ. Which results in different PIN/TAN flows even between the major players at the moment.