There are methods beyond two-factor authentication with a mobile device. For example, my bank here in .fi has the following method: you login with a 8-digit number (your "username", I guess) and a 4-digit pin (user selectable). But after that you have to enter a single-use four digit code (the web site tells you to "enter code xxx" from your code list) to do anything. If you want to make a transaction, you have to enter another such code (you can queue many transactions though, and authorize them with a single code, so you don't end up using them all at once).
But now you're asking, what about when the codes run out? Initially you receive the first "code list" physically from the bank. You need proper ID. But beyond that, when you find out you're running low on codes, you can order a new list. That is delivered via regular mail, but in order for it to be active you have to use two codes from the previous list, enter the serial number of the new list and a given code from it. If that is being actively abused, people are keeping very quiet about it. Your banks are just lazy.