Meanwhile, what's actually happening with at least one bank...
Up until a few years ago, I logged into my personal accounts with an ID and a password. Then they decided to add 2FA using a dedicated security device - which is sensible enough, obviously.
However, when they did that, they decided to drop the use of a password on the website (you need a pin for the 2FA device) and add a security question, where you get to choose one of a number of questions (mother's maiden name, first school, etc) and put in your answer.
Fast forward to now.
"Online Banking is evolving" they say. "The next time you log on to Online Banking you'll be asked to create a new password"
To be fair, this doesn't do away with the security key - this password is so you can "access essential Online Banking services" without the 2FA device. I still find it quite amusing, though, that having done away with passwords a couple of years ago, they're now introducing passwords.
They're also introducing a new version of the 2FA device - which, apparently, is a new 'digital' one.
What do they mean by digital? They mean it's not a separate physical device - it's a smartphone app.
So when they say you can "access essential Online Banking services" without the 2FA device, for those who opt for the app* they mean "when your battery has run out."
* Customers have the choice of continuing with the separate device or using the app - so it's not compulsory. Yet.