Again, it's all still tied to that one device, the phone, if it's hacked it's really game over and with a big enough hole in the Android or iOS ecosystem that could be wormable a lot of people could be exploited en-masse.

Sure a 24h delay or SMS code are 2 way but they fully fall into the bandaid category.

In the past we used to have disconnected dongles for banking, the bank issued a one-time challange and you entered the response along with your username. Now there are disadvantages with those also but at least it was fully airgapped.