Re: So much for the "what you have" 2nd factor...
That has always been my contention, it has been common knowledge for several years that using SMS for banking TANs or 2FA is a security no-no.
Using a code generator on a smartphone is okay, as long as the service you are trying to access isn't running on the same smartphone, because that is the single point of failure. If the phone is lost or stolen, they have access to the service and the code.
I use hardware OTP generators. My bank uses a card reader and reads a visual, flashing barcode on the screen (destination account + transaction amount), combines it with the readers unique key, the chip on my debit card and generates a one time token, which I have to type in. This works on my PC or my phone.
Likewise, for password security, I use a Yubikey Neo (USB + NFC means I can use it on a PC or on my smartphone). That means that even if my password is hacked, without the pyhsical token, they can't access my account. If the key is stolen, they can't hack the account without the password. If I lose the Yubikey, I have a second Yubikey and printed OTPs in my safe to access the account.
Any bank or website doing SMS 2FA in 2018 is doing it wrong.