@xaade I'm really happy with the online security arrangements my bank uses. They do everything right.
For their web-based banking facility, I have a completely ordinary username and a password. The login page is password-manager friendly. No 2FA is required to log on. If I request a funds transfer to any account other than one of mine, and the destination account is not listed as a favorite, then 2FA is required during the final confirmation step. I can configure my account to make 2FA work via one-time codes sent over SMS, or via a TOTP dongle (I use the dongle).
They have apps for iOS and Android, both of which use the same underlying authentication as the web facility but hide it behind an app-authenticated 4-digit PIN.
If I want to use their phone-based voice-menu banking, there's a separate PIN for that. I can get a new phone PIN issued either by talking to bank staff on the phone or via my web-based banking facility.
To authenticate myself when talking to bank staff over the phone, there's a phone security password that's separate from all the others. Mine's the maximum length allowed (16 characters) and held in KeePass. If that fails, there's a reasonably in-depth phone interview process I need to go to in order to demonstrate that I am who I claim to be. None of that involves transferring any of the other security secrets.
Last but not least, there's a secure messaging facility built into the web banking stuff, so I can mail them stuff I'm not happy to see sent via standard email.
Last year they "upgraded" their web site to make it all modern-like and phone-friendly, so it doesn't work as well as it used to because it's now got colored rectangle tiny font hipster whitespace disease. Even so, it still works better than any site I've seen offered by any other financial institution.
Anybody charged with making any decision about the best way to implement an online financial portal for customers would be well advised to open an account with Bank Australia and see what they do.